diff --git a/src/azure-cli/azure/cli/command_modules/resource/custom.py b/src/azure-cli/azure/cli/command_modules/resource/custom.py index 1d0b871f4a7..ade08ea1d1d 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/custom.py +++ b/src/azure-cli/azure/cli/command_modules/resource/custom.py @@ -619,13 +619,21 @@ def _resolve_policy_id(cmd, policy, policy_set_definition, client): def _parse_management_group_reference(name): - if name.lower().startswith('/providers/microsoft.management/managementgroups'): + if _is_management_group_scope(name): parts = name.split('/') if len(parts) >= 9: return parts[4], parts[8] return None, name +def _parse_management_group_id(scope): + if _is_management_group_scope(scope): + parts = scope.split('/') + if len(parts) >= 5: + return parts[4] + return None + + def _get_custom_or_builtin_policy(cmd, client, name, subscription=None, management_group=None, for_policy_set=False): from msrest.exceptions import HttpOperationError from msrestazure.azure_exceptions import CloudError @@ -1388,8 +1396,11 @@ def list_policy_assignment(cmd, disable_scope_strict_match=None, resource_group_ resource_group = id_parts.get('resource_group') resource_type = id_parts.get('child_type_1') or id_parts.get('type') resource_name = id_parts.get('child_name_1') or id_parts.get('name') + management_group = _parse_management_group_id(scope) - if all([resource_type, resource_group, subscription]): + if management_group: + result = policy_client.policy_assignments.list_for_management_group(management_group_id=management_group, filter='atScope()') + elif all([resource_type, resource_group, subscription]): namespace = id_parts.get('namespace') parent_resource_path = '' if not id_parts.get('child_name_1') else (id_parts['type'] + '/' + id_parts['name']) result = policy_client.policy_assignments.list_for_resource( @@ -1402,10 +1413,10 @@ def list_policy_assignment(cmd, disable_scope_strict_match=None, resource_group_ elif scope: raise CLIError('usage error `--scope`: must be a fully qualified ARM ID.') else: - raise CLIError('usage error: --scope ARM_ID | --resource-group NAME | --subscription ID') + raise CLIError('usage error: --scope ARM_ID | --resource-group NAME') if not disable_scope_strict_match: - result = [i for i in result if _scope.lower() == i.scope.lower()] + result = [i for i in result if _scope.lower().strip('/') == i.scope.lower().strip('/')] return result @@ -1649,11 +1660,15 @@ def _get_subscription_id_from_subscription(cli_ctx, subscription): # pylint: di def _get_parent_id_from_parent(parent): - if parent is None or parent.startswith("/providers/Microsoft.Management/managementGroups/"): + if parent is None or _is_management_group_scope(parent): return parent return "/providers/Microsoft.Management/managementGroups/" + parent +def _is_management_group_scope(scope): + return scope is not None and scope.lower().startswith("/providers/microsoft.management/managementgroups") + + def cli_managementgroups_group_list(cmd, client): _register_rp(cmd.cli_ctx) return client.list() diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_default.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_default.yaml index 08e72ad2288..125654005ae 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_default.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_default.yaml @@ -22,7 +22,7 @@ interactions: ParameterSetName: - -n --rules --params --display-name --description --mode --metadata User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -30,7 +30,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -41,7 +41,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:53 GMT + - Tue, 11 Feb 2020 19:53:42 GMT expires: - '-1' pragma: @@ -51,7 +51,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1183' + - '1199' status: code: 201 message: Created @@ -69,7 +69,7 @@ interactions: ParameterSetName: - -n --description --display-name --metadata User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -77,7 +77,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -88,7 +88,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:54 GMT + - Tue, 11 Feb 2020 19:53:42 GMT expires: - '-1' pragma: @@ -127,7 +127,7 @@ interactions: ParameterSetName: - -n --description --display-name --metadata User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -135,7 +135,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:55.3292795Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:43.1330997Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -146,7 +146,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:54 GMT + - Tue, 11 Feb 2020 19:53:42 GMT expires: - '-1' pragma: @@ -156,7 +156,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1191' + - '1199' status: code: 201 message: Created @@ -174,7 +174,7 @@ interactions: ParameterSetName: - -n --description --display-name --metadata --params --rules User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -182,7 +182,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:55.3292795Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:43.1330997Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -193,7 +193,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:55 GMT + - Tue, 11 Feb 2020 19:53:43 GMT expires: - '-1' pragma: @@ -231,7 +231,7 @@ interactions: ParameterSetName: - -n --description --display-name --metadata --params --rules User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -239,7 +239,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:56.6285028Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: cache-control: @@ -249,7 +249,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:56 GMT + - Tue, 11 Feb 2020 19:53:43 GMT expires: - '-1' pragma: @@ -259,7 +259,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1190' + - '1199' status: code: 201 message: Created @@ -275,7 +275,7 @@ interactions: Connection: - keep-alive User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -283,6982 +283,6839 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-09-01 response: body: - string: "{\"value\":[{\"properties\":{\"displayName\":\"Microsoft Managed Control - 1599 - Developer Configuration Management | Software / Firmware Integrity - Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0004bbf0-5099-4179-869e-e9ffe5fb0945\"},{\"properties\":{\"displayName\":\"Audit - virtual machines without disaster recovery configured\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 + - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit + virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Resources/links\",\"existenceCondition\":{\"field\":\"name\",\"like\":\"ASR-Protect-*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"001802d1-4969-4c82-a700-c29c6c6f9bbd\"},{\"properties\":{\"displayName\":\"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For - Availability Of Information / Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"00379355-8932-4b52-b63a-3bc6daf3451a\"},{\"properties\":{\"displayName\":\"Microsoft + Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static - Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0062eb8b-dc75-4718-8ea5-9bb4a9606655\"},{\"properties\":{\"displayName\":\"Azure - Backup should be enabled for Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data - recovery and is easier to enable than other cloud backup services.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"backup\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"013e242c-8828-4970-87b3-ab247555486d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1142 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01524fa8-4555-48ce-ba5f-c3b8dcef5147\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1099 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01910bab-8639-4bd0-84ef-cc53b24d79ba\"},{\"properties\":{\"displayName\":\"Microsoft + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft + Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft + Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01f7726b-db54-45c2-bcb5-9bd7a43796ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1709 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"025992d6-7fee-4137-9bbf-2ffc39c0686c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1052 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"027cae1c-ec3e-4492-9036-4168d540c42a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1034 - Least Privilege\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a5ed00-6d2e-4e97-9a98-46c32c057329\"},{\"properties\":{\"displayName\":\"[Preview]: + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft + Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft + Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status - does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a84be7-c304-421f-9bb7-5d2c26af54ad\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1623 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02ce1b22-412a-4528-8630-c42146f917ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1515 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02dd141a-a2b2-49a7-bcbd-ca31142f6211\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1327 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03188d8f-1ae5-4fe1-974d-2d7d32ef937d\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft + Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft + Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate - Accounting Of Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03752212-103c-4ab8-a306-7e813022ca9d\"},{\"properties\":{\"displayName\":\"Microsoft + Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level - Adjustment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03996055-37a4-45a5-8b70-3f1caa45f87d\"},{\"properties\":{\"displayName\":\"Microsoft + Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - - Minimal Operational Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ad326e-d7a1-44b1-9a76-e17492efc9e4\"},{\"properties\":{\"displayName\":\"Microsoft + - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated - Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03b78f5e-4877-4303-b0f4-eb6583f25768\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1361 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ed3be1-7276-4452-9a5d-e4168565ac67\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1594 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"042ba2a1-8bb8-45f4-b080-c78cf62b90e9\"},{\"properties\":{\"displayName\":\"SQL - managed instance TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft + Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft + Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL + managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"048248b0-55cd-46da-b1ff-39efd52db260\"},{\"properties\":{\"displayName\":\"[Preview]: + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable Dependency Agent for Linux VMs - monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04c4380f-3fae-46e8-96c9-30193528f602\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Service Bus to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04d53d87-841c-4f23-8a5b-21564380b55e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1572 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft + Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"053d3325-282c-4e5c-b944-24faffd30d77\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1331 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05460fe2-301f-4ed1-8174-d62c8bb92ff4\"},{\"properties\":{\"displayName\":\"Vulnerability + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft + Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive - scan reports\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send scan reports to' field in + scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Azure Data Lake Store should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic + logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057ef27e-665e-4328-8ea3-04b3122bd9fb\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate - Physical Systems / Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1223 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1640 - Transmission Confidentiality And Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a289ce-6a20-4b75-a0f3-dc8601b6acd0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1420 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05ae08cc-a282-413b-90c7-21a2c60b8404\"},{\"properties\":{\"displayName\":\"Microsoft + Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft + Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft + Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft + Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive - Or Caching Resolver)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063b540e-4bdc-4e7a-a569-3a42ddf22098\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1688 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063c3f09-e0f0-4587-8fd5-f4276fae675f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1332 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068260be-a5e6-4b0a-a430-cd27071c226a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1455 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068a88d4-e520-434e-baf0-9005a8164e6a\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit SQL DB Level Audit Setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - DB level audit setting for SQL databases\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Audit Setting\"},\"allowedValues\":[\"enabled\",\"disabled\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Audit - VMs that do not use managed disks\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits VMs that do not use managed disks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/osDisk.uri\",\"exists\":\"True\"}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/VirtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers\",\"exists\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl\",\"exists\":\"True\"}]}]}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a4d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1366 - Incident Handling | Information Correlation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06c45c30-ae44-4f0f-82be-41331da911cc\"},{\"properties\":{\"displayName\":\"Microsoft + Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft + Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft + Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft + Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: + Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated - Proxy Servers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"07557aa0-e02f-4460-9a81-8ecd2fed601a\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS + should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0820b7b9-23aa-4725-a1ce-ae4558f718e5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0868462e-646c-4fe3-9ced-a733534b6a2c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1583 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0882d488-8e80-4466-bc0f-0cd15b6cb66d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft + Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08b17839-76c6-4015-90e0-33d9d54d219c\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Search Services to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08ba64b8-738f-4918-9686-730d2ed79c7d\"},{\"properties\":{\"displayName\":\"Adaptive + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive Network Hardening recommendations should be applied on internet facing virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"adaptiveNetworkHardenings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08e6af2d-db70-460a-bfe9-d5bd474ba9d6\"},{\"properties\":{\"displayName\":\"There - should be more than one owner assigned to your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There + should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateMoreThanOneOwner\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09024ccc-0c5f-475e-9457-b7c0d9ed487b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1159 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0925f098-7877-450b-8ba4-d1e55f2d8795\"},{\"properties\":{\"displayName\":\"Disk - encryption should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"VMs + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft + Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk + encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0961003e-5a0a-4549-abde-af6a37f2724d\"},{\"properties\":{\"displayName\":\"Microsoft + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network - Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09828c65-e323-422b-9774-9d5c646124da\"},{\"properties\":{\"displayName\":\"Configure - backup on VMs of a location to an existing central Vault in the same location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure + backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Backup\"},\"parameters\":{\"vaultLocation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Location - (Specify the location of the VMs that you want to protect)\",\"description\":\"Specify + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up - to a vault in the same location.\\nFor example - southeastasia\",\"strongType\":\"location\"}},\"backupPolicyId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Backup - Policy (of type Azure VM from a vault in the location chosen above)\",\"description\":\"Specify + to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup + Policy (of type Azure VM from a vault in the location chosen above)","description":"Specify the id of the Azure backup policy to configure backup of the virtual machines. The selected Azure backup policy should be of type Azure virtual machine. This policy needs to be in a vault that is present in the location chosen - above.\\nFor example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/\",\"strongType\":\"Microsoft.RecoveryServices/vaults/backupPolicies\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"deployIfNotExists\",\"auditIfNotExists\",\"disabled\"],\"defaultValue\":\"deployIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"location\",\"equals\":\"[parameters('vaultLocation')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\",\"/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b\"],\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[concat('DeployProtection-',uniqueString(parameters('protectedItems')))]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[first(skip(split(parameters('backupPolicyId'), - '/'), 4))]\",\"subscriptionId\":\"[first(skip(split(parameters('backupPolicyId'), - '/'), 2))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"type\":\"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems\",\"name\":\"[concat(first(skip(split(parameters('backupPolicyId'), - '/'), 8)), '/', parameters('fabricName'), '/',parameters('protectionContainers'), - '/', parameters('protectedItems'))]\",\"apiVersion\":\"2016-06-01\",\"properties\":{\"protectedItemType\":\"Microsoft.Compute/virtualMachines\",\"policyId\":\"[parameters('backupPolicyId')]\",\"sourceResourceId\":\"[parameters('sourceResourceId')]\"}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"[parameters('fabricName')]\"},\"protectionContainers\":{\"value\":\"[parameters('protectionContainers')]\"},\"protectedItems\":{\"value\":\"[parameters('protectedItems')]\"},\"sourceResourceId\":{\"value\":\"[parameters('sourceResourceId')]\"}}}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"Azure\"},\"protectionContainers\":{\"value\":\"[concat('iaasvmcontainer;iaasvmcontainerv2;', - resourceGroup().name, ';' ,field('name'))]\"},\"protectedItems\":{\"value\":\"[concat('vm;iaasvmcontainerv2;', - resourceGroup().name, ';' ,field('name'))]\"},\"sourceResourceId\":{\"value\":\"[concat('/subscriptions/', - subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09ce66bc-1220-4153-8104-e3f51c936913\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1654 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a2ee16e-ab1f-414a-800b-d1608835862b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a560d32-8075-4fec-9615-9f7c853f4ea9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1428 - Media Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a77fcc7-b8d8-451a-ab52-56197913c0c7\"},{\"properties\":{\"displayName\":\"Audit - resource location matches resource group location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that the resource location matches its resource group location\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"policyRule\":{\"if\":{\"field\":\"location\",\"notIn\":[\"[resourcegroup().location]\",\"global\"]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a914e76-4921-4c19-b460-a2d36003525a\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + above.\nFor example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/","strongType":"Microsoft.RecoveryServices/vaults/backupPolicies"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["deployIfNotExists","auditIfNotExists","disabled"],"defaultValue":"deployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"location","equals":"[parameters(''vaultLocation'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c","/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"type":"Microsoft.RecoveryServices/backupprotecteditems","deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"String"},"fabricName":{"type":"String"},"protectionContainers":{"type":"String"},"protectedItems":{"type":"String"},"sourceResourceId":{"type":"String"}},"resources":[{"apiVersion":"2017-05-10","name":"[concat(''DeployProtection-'',uniqueString(parameters(''protectedItems'')))]","type":"Microsoft.Resources/deployments","resourceGroup":"[first(skip(split(parameters(''backupPolicyId''), + ''/''), 4))]","subscriptionId":"[first(skip(split(parameters(''backupPolicyId''), + ''/''), 2))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"String"},"fabricName":{"type":"String"},"protectionContainers":{"type":"String"},"protectedItems":{"type":"String"},"sourceResourceId":{"type":"String"}},"resources":[{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","name":"[concat(first(skip(split(parameters(''backupPolicyId''), + ''/''), 8)), ''/'', parameters(''fabricName''), ''/'',parameters(''protectionContainers''), + ''/'', parameters(''protectedItems''))]","apiVersion":"2016-06-01","properties":{"protectedItemType":"Microsoft.Compute/virtualMachines","policyId":"[parameters(''backupPolicyId'')]","sourceResourceId":"[parameters(''sourceResourceId'')]"}}]},"parameters":{"backupPolicyId":{"value":"[parameters(''backupPolicyId'')]"},"fabricName":{"value":"[parameters(''fabricName'')]"},"protectionContainers":{"value":"[parameters(''protectionContainers'')]"},"protectedItems":{"value":"[parameters(''protectedItems'')]"},"sourceResourceId":{"value":"[parameters(''sourceResourceId'')]"}}}}]},"parameters":{"backupPolicyId":{"value":"[parameters(''backupPolicyId'')]"},"fabricName":{"value":"Azure"},"protectionContainers":{"value":"[concat(''iaasvmcontainer;iaasvmcontainerv2;'', + resourceGroup().name, '';'' ,field(''name''))]"},"protectedItems":{"value":"[concat(''vm;iaasvmcontainerv2;'', + resourceGroup().name, '';'' ,field(''name''))]"},"sourceResourceId":{"value":"[concat(''/subscriptions/'', + subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, + ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft + Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft + Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit + resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Account Management'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''System Audit Policies + - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a9991e6-21be-49f9-8916-a06d934bcf29\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1044 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0abbac52-57cf-450d-8408-1208d0dd9e90\"},{\"properties\":{\"displayName\":\"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft + Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0afce0b3-dd9f-42bb-af28-1e4284ba8311\"},{\"properties\":{\"displayName\":\"Email - notification to subscription owner for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email + notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b15565f-aa9e-48ba-8619-45960f2c314d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b1aa965-7502-41f9-92be-3e2fe7cc392a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1020 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b291ee8-3140-4cad-beb7-568c077c78ce\"},{\"properties\":{\"displayName\":\"Key - Vault objects should be recoverable\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft + Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft + Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key + Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object - is deleted. When 'Purge protection' is on, a vault or an object in deleted + is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"equals\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1115 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b653845-2ad9-4e09-a4f3-5a7c1d78353d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1239 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0be51298-f643-4556-88af-d7db90794879\"},{\"properties\":{\"displayName\":\"Ensure - API app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0c192fe8-9cbb-4516-85b3-0ade8bd03886\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1496 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ca96127-2f87-46ab-a4fc-0d2a786df1c8\"},{\"properties\":{\"displayName\":\"SQL - server TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft + Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft + Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure + API app has ''Client Certificates (Incoming client certificates)'' set to + ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft + Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/servers/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d134df8-db83-46fb-ad72-fe0c9428c8dd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1518 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d58f734-c052-40e9-8b2f-a1c2bff0b815\"},{\"properties\":{\"displayName\":\"Microsoft + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft + Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity - Checks\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d87c70b-5012-48e9-994b-e70dd4b8def0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1466 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d943a9c-a6f1-401f-a792-740cdb09c451\"},{\"properties\":{\"displayName\":\"[Preview]: + Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft + Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard - is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which Windows Defender Exploit Guard - is not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0da106f2-4ca3-48e8-bc85-c638fe6aea8f\"},{\"properties\":{\"displayName\":\"Microsoft + is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines on which Windows Defender Exploit Guard is not enabled. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary - Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0dced7ab-9ce5-4137-93aa-14c13e06ab17\"},{\"properties\":{\"displayName\":\"[Preview]: - Authorized IP ranges should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Restrict + Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: + Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"field\":\"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e60b895-3786-45da-8377-9c6b4b6ac5f9\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for MariaDB\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMariaDB/servers\"},{\"field\":\"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ec47710-77ff-4a3d-9181-6aa50af424d0\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to enable Guest Configuration Policy on Windows VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy + prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforWindows\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforWindows\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ecd903d-91e7-4726-83d3-a229d7f2e293\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1601 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1476 - Fire Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f3c4ac2-3e35-4906-a80b-473b12a622d7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1204 - Access Restrictions For Change | Review System Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f4f6750-d1ab-4a4c-8dfd-af3237682665\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1430 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f559588-5e53-4b14-a7c4-85d28ebc2234\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1574 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f935dab-83d6-47b8-85ef-68b8584161b9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1164 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fb8d3ce-9e96-481c-9c68-88d4e3019310\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1017 - Account Management | Inactivity Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fc3db37-e59a-48c1-84e9-1780cedb409e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1087 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"100c82ba-42e9-4d44-a2ba-94b209248583\"},{\"properties\":{\"displayName\":\"[Preview]: + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft + Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft + Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft + Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft + Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft + Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft + Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft + Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft + Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified - certificates in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification - Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). It also creates + Authorities certificate store (Cert:\\LocalMachine\\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateThumbprints\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints\",\"description\":\"A semicolon-separated list of - certificate thumbprints that should exist under the Trusted Root certificate - store (Cert:\\\\LocalMachine\\\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', - '=', parameters('CertificateThumbprints')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsCertificateInTrustedRoot\"},\"CertificateThumbprints\":{\"value\":\"[parameters('CertificateThumbprints')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateThumbprints\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"106ccbe4-a791-4f33-a44a-06796944b8d5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1554 - Vulnerability Scanning | Discoverable Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10984b4e-c93e-48d7-bf20-9c03b04e9eca\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the Function - App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft + Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the Function + App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10c1859c-e1a7-4df3-ab97-a487fa8059f6\"},{\"properties\":{\"displayName\":\"Custom - subscription owner roles should not exist\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that no custom subscription owner roles exist.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"},{\"anyOf\":[{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions.actions[*]\",\"notEquals\":\"*\"}}]},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notIn\":[\"[concat(subscription().id,'/')]\",\"[subscription().id]\",\"/\"]}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notLike\":\"/providers/Microsoft.Management/*\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1230 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11158848-f679-4e9b-aa7b-9fb07d945071\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1432 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1140e542-b80d-4048-af45-3f7245be274b\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Dependency Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom + subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft + Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft + Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: + Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11ac78e3-31bc-4f0c-8434-37ab963cea07\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1655 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"121eab72-390e-4629-a7e2-6d6184f57c6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1681 - Malicious Code Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12623e7e-4736-4b2e-b776-c1600f35f93a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1240 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"129eb39f-d79a-4503-84cd-92f036b5e429\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft + Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft + Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft + Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - System objects'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemobjects\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ae2d24-3805-4b37-9fa9-465968bfbcfa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1666 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12e30ee3-61e6-4509-8302-a871e8ebb91e\"},{\"properties\":{\"displayName\":\"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft + Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines + installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"installedApplication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the applications that should be installed. e.g. 'Microsoft - SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL - Server 2014*' (to match any application starting with 'Microsoft SQL Server - 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]bwhitelistedapp;Name', - '=', parameters('installedApplication')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WhitelistedApplication\"},\"installedApplication\":{\"value\":\"[parameters('installedApplication')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"installedApplication\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + names (supports wildcards)","description":"A semicolon-separated list of the + names of the applications that should be installed. e.g. ''Microsoft SQL Server + 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) - | Acceptance Of PIV Creds. From Other Agys.\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"131a2706-61e9-4916-a164-00e052056462\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1450 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"134d7a13-ba3e-41e2-b236-91bfcfa24e01\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1184 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1085 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d117e0-38b0-4bbb-aaab-563be5dd10ba\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1404 - Maintenance Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d8f903-0cd6-449f-a172-50f6579c182b\"},{\"properties\":{\"displayName\":\"Microsoft + | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft + Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft + Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft + Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft + Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion - Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13fcf812-ec82-4eda-9b89-498de9efd620\"},{\"properties\":{\"displayName\":\"Deploy + Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains - any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members - to exclude\",\"description\":\"A semicolon-separated list of members that - should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', - '=', parameters('MembersToExclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToExclude\"},\"MembersToExclude\":{\"value\":\"[parameters('MembersToExclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToExclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"144f1397-32f9-4598-8c88-118decc3ccba\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1157 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"15495367-cf68-464c-bbc3-f53ca5227b7a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1491 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1571dd40-dafc-4ef4-8f55-16eba27efc7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1564 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"157f0ef9-143f-496d-b8f9-f8c8eeaad801\"},{\"properties\":{\"displayName\":\"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members + to exclude","description":"A semicolon-separated list of members that should + be excluded in the Administrators local group. Ex: Administrator; myUser1; + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft + Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft + Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password - age of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16390df4-2f73-4b42-af13-c801066763df\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1662 - Fail In Known State\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"165cb91f-7ea8-4ab7-beaf-8636b98c9d15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1684 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16bfdb59-db38-47a5-88a9-2e9371a638cf\"},{\"properties\":{\"displayName\":\"Show + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft + Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft + Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell - modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + modules installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16f9b37c-4408-4c30-bc17-254958f2e2d6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1103 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16feeb31-6377-437e-bbab-d7f73911896d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1007 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17200329-bf6c-46d8-ac6d-abf4641c2add\"},{\"properties\":{\"displayName\":\"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft + Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) - | Use Of FICAM-Approved Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17641f70-94cd-4a5d-a613-3d1143e20e34\"},{\"properties\":{\"displayName\":\"Deploy - associations for a managed application\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy + associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Managed Application\"},\"parameters\":{\"targetManagedApplicationId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Managed - application ID\",\"description\":\"Resource ID of the managed application - to which resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - types to associate\",\"description\":\"The list of resource types to be associated - to the managed application.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association - name prefix\",\"description\":\"Prefix to be added to the name of the association - resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), - '-', uniqueString(parameters('targetManagedApplicationId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetManagedApplicationId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), - '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), - '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetManagedApplicationId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, - '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetManagedApplicationId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetManagedApplicationId\":{\"value\":\"[parameters('targetManagedApplicationId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17763ad9-70c0-4794-9397-53d765932634\"},{\"properties\":{\"displayName\":\"Transparent - Data Encryption on SQL databases should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which + resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource + types to associate","description":"The list of resource types to be associated + to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association + name prefix","description":"Prefix to be added to the name of the association + resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), + ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetManagedApplicationId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), + ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), + ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', + uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, + ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent data encryption should be enabled to protect data-at-rest and meet compliance - requirements\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"enabled\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17k78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1325 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1845796a-7581-49b2-ae20-443121538e19\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1480 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18a767cc-1947-4338-a240-bc058c81164f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1369 - Incident Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18cc35ed-a429-486d-8d59-cb47e87304ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1269 - Alternate Storage Site | Separation From Primary Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"19b9439d-865d-4474-b17d-97d2702fdb66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1071 - Wireless Access | Restrict Configurations By Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a437f5b-9ad6-4f28-8861-de404d511ae4\"},{\"properties\":{\"displayName\":\"Azure - Monitor log profile should collect logs for categories 'write,' 'delete,' - and 'action'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that a log profile collects logs for categories 'write,' 'delete,' - and 'action'\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logprofiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Write\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Delete\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Action\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a4e592a-6a6e-44a5-9814-e36264ca96e7\"},{\"properties\":{\"displayName\":\"[Preview]: - Access to App Services should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft + Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft + Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft + Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft + Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft + Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure + Monitor log profile should collect logs for categories ''write,'' ''delete,'' + and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy + ensures that a log profile collects logs for categories ''write,'' ''delete,'' + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: + Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToAppServices\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a833ff1-d297-4a0f-9944-888428f8e0ff\"},{\"properties\":{\"displayName\":\"Vulnerability - assessment should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1b7aa243-30e4-4c9e-bca8-d0d3022b634a\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","type":"Microsoft.Authorization/policyDefinitions","name":"1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c210e94-a481-4beb-95fa-1571b434fb04\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1ca29e41-34ec-4e70-aba9-6248aca18c31\"},{\"properties\":{\"displayName\":\"Microsoft + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft + Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative - Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1cb067d5-c8b5-4113-a7ee-0a493633924b\"},{\"properties\":{\"displayName\":\"Microsoft + Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests - Of Consumers And Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d01ba6c-289f-42fd-a408-494b355b6222\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1088 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d50f99d-1356-49c0-934a-45f742ba7783\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1538 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d7658b2-e827-49c3-a2ae-6d2bd0b45874\"},{\"properties\":{\"displayName\":\"Virtual - machines should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft + Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft + Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual + machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachines\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicCompute/virtualMachines\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d84d5fb-01f6-4d12-ba4f-4a26081d403d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1298 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1dc784b5-4895-4d27-9d40-a06b032bd1ee\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft + Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1de7b11d-1870-41a5-8181-507e7c663cfb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1595 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e0414e7-6ef5-4182-8076-aa82fbb53341\"},{\"properties\":{\"displayName\":\"Require - tag and its value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces - a required tag and its value. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"equals\":\"[parameters('tagValue')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e30110a-5ceb-460c-a204-c1c3969c6d62\"},{\"properties\":{\"displayName\":\"An - Azure Active Directory administrator should be provisioned for SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require + tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An + Azure Active Directory administrator should be provisioned for SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/administrators\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f314764-cb73-4fc9-b863-8eca98ac36e9\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Event Hub to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f6e93e8-6b31-41b1-83f6-36e449a42579\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Shutdown'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Shutdown: Allow system to be shut down without having to log on\",\"description\":\"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen.\"},\"defaultValue\":\"0\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Shutdown: Clear virtual memory pagefile\",\"description\":\"Specifies whether + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this - could result in substantial time needed to complete the shutdown.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Shutdown: - Allow system to be shut down without having to log on;ExpectedValue', '=', - parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'), ',', 'Shutdown: - Clear virtual memory pagefile;ExpectedValue', '=', parameters('ShutdownClearVirtualMemoryPagefile')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsShutdown\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},\"ShutdownClearVirtualMemoryPagefile\":{\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"string\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: - Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: - Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: - Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: - Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f8c20ce-3414-4496-8b26-0e902a1541da\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1616 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2006457a-48b3-4f7b-8d2e-1532287f9929\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1650 - Public Key Infrastructure Certificates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201d3740-bd16-4baf-b4b8-7cda352228b7\"},{\"properties\":{\"displayName\":\"Web - ports should be restricted on Network Security Groups associated to your VM\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + Allow system to be shut down without having to log on;ExpectedValue'', ''='', + parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft + Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft + Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201ea587-7c90-41c3-910f-c280ae01cfd6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21839937-d241-4fa5-95c6-b669253d9ab9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1111 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21de687c-f15e-4e51-bf8d-f35c8619965b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1596 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e25e01-0ae0-41be-919e-04ce92b8e8b8\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Audit'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e2995e-683e-497a-9e81-2f42ad07050a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1426 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21f639bc-f42b-46b1-8f40-7a2a389c291a\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft + Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft + Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft + Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Audit''. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: + Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"224da9fe-0d38-4e79-adb3-0a6e2af942ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1399 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2256e638-eb23-480f-9e15-6cf1af0a76b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22589a07-0007-486a-86ca-95355081ae2a\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Account Management''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Account Management'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"225e937e-d32e-4713-ab74-13ce95b3519a\"},{\"properties\":{\"displayName\":\"Management - ports should be closed on your virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Open + category: ''System Audit Policies - Account Management''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToManagementPorts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22730e10-96f6-4aac-ad84-9383d35b5917\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1493 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22b469b3-fccf-42da-aa3b-a28e6fb113ce\"},{\"properties\":{\"displayName\":\"Only - secure connections to your Redis Cache should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft + Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cache\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Cache/redis\"},{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22bee202-a82f-4305-9a2a-6d7f44d4dedb\"},{\"properties\":{\"displayName\":\"[Preview]: + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum - password length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordLength\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23020aa6-1135-4be2-bae2-149982b06eca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1256 - Contingency Plan | Identify Critical Assets\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"232ab24b-810b-4640-9019-74a7d0d6a980\"},{\"properties\":{\"displayName\":\"Service - Bus should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft + Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service + Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"235359c5-7c52-4b82-9055-01c75cf9f60e\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1268 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23f6e984-3053-4dfc-ab48-543b764781f5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"243ec95e-800c-49d4-ba52-1fdd9f6b8b57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1231 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"244e0c05-cc45-4fe7-bf36-42dcf01f457d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1082 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24d480ef-11a0-4b1b-8e70-4e023bf2be23\"},{\"properties\":{\"displayName\":\"[Preview]: + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft + Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft + Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft + Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft + Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age - of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have a maximum password age - of 70 days. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24dde96d-f0b1-425e-884f-4a1421e2dcdc\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have a maximum password age of 70 days. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25763a0a-5783-4f14-969e-79d4933eb74b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1372 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25b96717-c912-4c00-9143-4e487f411726\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1038 - Least Privilege | Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\"},{\"properties\":{\"displayName\":\"Endpoint - protection solution should be installed on virtual machine scale sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft + Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft + Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint + protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EndpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26a828e1-e88f-464e-bbb3-c134a282b9de\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1649 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26d292cc-b0b8-4c29-9337-68abc758bf7b\"},{\"properties\":{\"displayName\":\"Metric - alert rules should be configured on Batch accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft + Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric + alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"metricName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Metric - name\",\"description\":\"The metric name that an alert rule must be enabled - on\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/alertRules\",\"existenceScope\":\"Subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/alertRules/isEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.metricName\",\"equals\":\"[parameters('metricName')]\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.resourceUri\",\"equals\":\"[concat('/subscriptions/', - subscription().subscriptionId, '/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Batch/batchAccounts/', - field('name'))]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1396 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"276af98f-4ff9-4e69-99fb-c9b2452fb85f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1074 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"27a69937-af92-4198-9b86-08d355c7e59a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1527 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2823de66-332f-4bfd-94a3-3eb036cd3b67\"},{\"properties\":{\"displayName\":\"Deploy - default Microsoft IaaSAntimalware extension for Windows Server\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric + name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', + subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, + ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft + Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft + Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy + default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"ExclusionsPaths\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of file paths or locations to exclude from scanning\"}},\"ExclusionsExtensions\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of file extensions to exclude from scanning\"}},\"ExclusionsProcesses\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of process names to exclude from scanning\"}},\"RealtimeProtectionEnabled\":{\"type\":\"string\",\"defaultValue\":\"true\",\"metadata\":{\"description\":\"Indicates - whether or not real time protection is enabled (default is true)\"}},\"ScheduledScanSettingsIsEnabled\":{\"type\":\"string\",\"defaultValue\":\"false\",\"metadata\":{\"description\":\"Indicates - whether or not custom scheduled scan settings are enabled (default is false)\"}},\"ScheduledScanSettingsScanType\":{\"type\":\"string\",\"defaultValue\":\"Quick\",\"metadata\":{\"description\":\"Indicates - whether scheduled scan setting type is set to Quick or Full (default is Quick)\"}},\"ScheduledScanSettingsDay\":{\"type\":\"string\",\"defaultValue\":\"7\",\"metadata\":{\"description\":\"Day - of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)\"}},\"ScheduledScanSettingsTime\":{\"type\":\"string\",\"defaultValue\":\"120\",\"metadata\":{\"description\":\"When + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates + whether or not real time protection is enabled (default is true)"}},"ScheduledScanSettingsIsEnabled":{"type":"string","defaultValue":"false","metadata":{"description":"Indicates + whether or not custom scheduled scan settings are enabled (default is false)"}},"ScheduledScanSettingsScanType":{"type":"string","defaultValue":"Quick","metadata":{"description":"Indicates + whether scheduled scan setting type is set to Quick or Full (default is Quick)"}},"ScheduledScanSettingsDay":{"type":"string","defaultValue":"7","metadata":{"description":"Day + of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"}},"ScheduledScanSettingsTime":{"type":"string","defaultValue":"120","metadata":{"description":"When to perform the scheduled scan, measured in minutes from midnight (0-1440). - For example: 0 = 12AM, 60 = 1AM, 120 = 2AM.\"}}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/IaaSAntimalware')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.Azure.Security\",\"type\":\"IaaSAntimalware\",\"typeHandlerVersion\":\"1.3\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"AntimalwareEnabled\":true,\"RealtimeProtectionEnabled\":\"[parameters('RealtimeProtectionEnabled')]\",\"ScheduledScanSettings\":{\"isEnabled\":\"[parameters('ScheduledScanSettingsIsEnabled')]\",\"day\":\"[parameters('ScheduledScanSettingsDay')]\",\"time\":\"[parameters('ScheduledScanSettingsTime')]\",\"scanType\":\"[parameters('ScheduledScanSettingsScanType')]\"},\"Exclusions\":{\"Extensions\":\"[parameters('ExclusionsExtensions')]\",\"Paths\":\"[parameters('ExclusionsPaths')]\",\"Processes\":\"[parameters('ExclusionsProcesses')]\"}}}}]},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"RealtimeProtectionEnabled\":{\"value\":\"true\"},\"ScheduledScanSettingsIsEnabled\":{\"value\":\"true\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2835b622-407b-4114-9198-6f7064cbe0dc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"283a4e29-69d5-4c94-b99e-29acf003c899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1436 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28aab8b4-74fd-4b7c-9080-5a7be525d574\"},{\"properties\":{\"displayName\":\"Microsoft + For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft + Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft + Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During - Installations / Removals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1148 - Security Assessments | Independent Assessors\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e62650-c7c2-4786-bdfa-17edc1673902\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e633fd-284e-4ea7-88b4-02ca157ed713\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"292a7c44-37fa-4c68-af7c-9d836955ded2\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft + Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft + Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + User Account Control''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - User Account Control'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"29829ec2-489d-4925-81b7-bda06b1718e0\"},{\"properties\":{\"displayName\":\"Append - tag and its default value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + category: ''Security Options - User Account Control''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource - groups. New 'modify' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a0e14a6-b0a6-4fab-991a-187a4f81c498\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a39ac75-622b-4c88-9a3f-45b7373f7ef7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1274 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2aee175f-cd16-4825-939a-a85349d96210\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1603 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b909c26-162f-47ce-8e15-0c1f55632eac\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b9ad585-36bc-4615-b300-fd4435808332\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1434 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c251a55-31eb-4e53-99c6-e9c43c393ac2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1388 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1344 - Authenticator Feedback\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c895fe7-2d8e-43a2-838c-3a533a5b355e\"},{\"properties\":{\"displayName\":\"SSH - access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits any network security rule that allows SSH access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"22\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), - contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), - contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))))),22), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), - contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), - contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))))),22), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"22\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fab\"},{\"properties\":{\"displayName\":\"Unattached - disks should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any unattached disk without encryption enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/disks\"},{\"field\":\"Microsoft.Compute/disks/diskState\",\"equals\":\"Unattached\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fb2\"},{\"properties\":{\"displayName\":\"Microsoft + groups. New ''modify'' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft + Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft + Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft + Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed + identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft + Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft + Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft + Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft + Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached + disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, - Storage, And Service Location\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1546 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce1ea7e-4038-4e53-82f4-63e8859333c1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1414 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1679 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cf42a28-193e-41c5-98df-7688e7ef0a88\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1068 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d045bca-a0fd-452e-9f41-4ec33769717c\"},{\"properties\":{\"displayName\":\"App - Service should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft + Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft + Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft + Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App + Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/virtualNetworkConnections\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d21331d-a4c2-4def-a9ad-ee4e1e023beb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1704 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d44b6fa-1134-4ea6-ad4e-9edb68f65429\"},{\"properties\":{\"displayName\":\"[Preview]: + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft + Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible - encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not store passwords using reversible - encryption. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d60d3b7-aa10-454c-88a8-de39d99d17c6\"},{\"properties\":{\"displayName\":\"[Preview]: + encryption","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not store passwords using reversible encryption. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts - without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d67222d-05fd-4526-a171-2ee132ad9e83\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1077 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2dad3668-797a-412e-a798-07d3849a7a79\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1149 - Security Assessments | Specialized Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e1b855b-a013-481a-aeeb-2bcb129fd35d\"},{\"properties\":{\"displayName\":\"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft + Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other - Organizational Entities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e3c5583-1729-4d36-8771-59c32f090a22\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1000 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ef3cc79-733e-48ed-ab6f-7bf439e9b406\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1519 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f13915a-324c-4ab8-b45c-2eefeeefb098\"},{\"properties\":{\"displayName\":\"[Preview]: + Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft + Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable Dependency Agent for Windows - VMs monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f2ee1de-44aa-4762-b6bd-0893fc3f306d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1144 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fa15ff1-a693-4ee4-b094-324818dc9a51\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1090 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fb740e5-cbc7-4d10-8686-d1bf826652b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Web Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft + Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: + Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fde8a98-6892-426a-83ba-050e640c0ce0\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Network Access'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"30040dab-4e75-4456-8273-14b8f75d91d9\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''Security Options - Network Access''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"DomainName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Domain - Name (FQDN)\",\"description\":\"The fully qualified domain name (FQDN) that - the Windows VMs should be joined to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[DomainMembership]WindowsDomainMembership;DomainName', - '=', parameters('DomainName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDomainMembership\"},\"DomainName\":{\"value\":\"[parameters('DomainName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DomainName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"315c850a-272d-4502-8935-b79010405970\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + Name (FQDN)","description":"The fully qualified domain name (FQDN) that the + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft + Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing - Greater Risk\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"31b752c1-05a9-432a-8fce-c39b56550119\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32133ab0-ee4b-4b44-98d6-042180979d50\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1587 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32820956-9c6d-4376-934c-05cd8525be7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1333 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\"},{\"properties\":{\"displayName\":\"Deploy + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft + Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft + Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not - installed and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the specified services are not installed and 'Running'. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding + on which the specified services are not installed and ''Running''. It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ServiceName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Service - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the services that should be installed and 'Running'. e.g. - 'WinRm;Wi*'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsServiceStatus]WindowsServiceStatus1;ServiceName', - '=', parameters('ServiceName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsServiceStatus\"},\"ServiceName\":{\"value\":\"[parameters('ServiceName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ServiceName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32b1e4d4-6cd5-47b4-a935-169da8a5c262\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1445 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32d07d59-2716-4972-b37b-214a67ac4a37\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1282 - Telecommunications Services | Single Points Of Failure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34042a97-ec6d-4263-93d2-8c1c46823b2a\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service + names (supports wildcards)","description":"A semicolon-separated list of the + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft + Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft + Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid232\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3470477a-b35a-49db-aca5-1073d04524fe\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1151 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"347e3b69-7fb7-47df-a8ef-71a1a7b44bca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1412 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3492d949-0dbb-4589-88b3-7b59601cc764\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1475 - Emergency Lighting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a63848-30cf-4081-937e-ce1a1c885501\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1060 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a987fd-2003-45de-a120-014956581f2b\"},{\"properties\":{\"displayName\":\"Audit - unrestricted network access to storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft + Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft + Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft + Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit + unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"equals\":\"Allow\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34c877ad-507e-4c82-993e-3452a6e0ad3c\"},{\"properties\":{\"displayName\":\"Microsoft + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System - Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34cb7e92-fe4c-4826-b51e-8cd203fa5d35\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Logic Apps should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic + logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Logic - Apps\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34f95f76-5386-4de7-b824-0d8478470c9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1210 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3502c968-c490-4570-8167-1476f955e9b8\"},{\"properties\":{\"displayName\":\"[Preview]: + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password - age of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MaximumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"356a906e-05e5-4625-8729-90771e0ee934\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS + should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\"},{\"properties\":{\"displayName\":\"Microsoft + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution - Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35a4102f-a778-4a2e-98c2-971056288df8\"},{\"properties\":{\"displayName\":\"Gateway - subnets should not be configured with a network security group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway + subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},{\"field\":\"name\",\"equals\":\"GatewaySubnet\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35f9c03a-cc27-418e-9c0c-539ff999d010\"},{\"properties\":{\"displayName\":\"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From - Executing Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361a77f6-0f9c-4748-8eec-bc13aaaa2455\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Threat Protection on Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables Advanced Threat Protection on Storage Accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"storageAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('storageAccountName'), - '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"storageAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361c2074-3595-4e5d-8cab-4f21dffc835c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1313 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36220f5b-79a1-4cdb-8c74-2d2449f9a510\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1630 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3643717a-3897-4bfd-8530-c7c96b26b2a0\"},{\"properties\":{\"displayName\":\"Automation - account variables should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy + Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), + ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft + Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft + Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation + account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Automation\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Automation/automationAccounts/variables\"},{\"field\":\"Microsoft.Automation/automationAccounts/variables/isEncrypted\",\"notEquals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3657f5a0-770e-44a3-b44e-9431ba1e9735\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1339 - Authenticator Management | Protection Of Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"367ae386-db7f-4167-b672-984ff86277c0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1685 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36b0ef30-366f-4b1b-8652-a3511df11f53\"},{\"properties\":{\"displayName\":\"Deploy - Threat Detection on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy ensures that Threat Detection is enabled on SQL Servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36d49e87-48c4-4f2e-beed-ba4ed02b71f5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft + Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft + Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy + Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Network Security'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network Security: Configure encryption types allowed for Kerberos\",\"description\":\"Specifies - the encryption types that Kerberos is allowed to use.\"},\"defaultValue\":\"2147483644\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network security: LAN Manager authentication level\",\"description\":\"Specify + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication - accepted by servers.\"},\"defaultValue\":\"5\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network security: LDAP client signing requirements\",\"description\":\"Specify + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify the level of data signing that is requested on behalf of clients that issue - LDAP BIND requests.\"},\"defaultValue\":\"1\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: Network security: Minimum session security for NTLM SSP based (including secure - RPC) clients\",\"description\":\"Specifies which behaviors are allowed by - clients for applications using the NTLM Security Support Provider (SSP). The - SSP Interface (SSPI) is used by applications that need authentication services. - See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information.\"},\"defaultValue\":\"537395200\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: Network security: Minimum session security for NTLM SSP based (including secure - RPC) servers\",\"description\":\"Specifies which behaviors are allowed by - servers for applications using the NTLM Security Support Provider (SSP). The - SSP Interface (SSPI) is used by applications that need authentication services.\"},\"defaultValue\":\"537395200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue', - '=', parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'), - ',', 'Network security: LAN Manager authentication level;ExpectedValue', '=', - parameters('NetworkSecurityLANManagerAuthenticationLevel'), ',', 'Network - security: LDAP client signing requirements;ExpectedValue', '=', parameters('NetworkSecurityLDAPClientSigningRequirements'), - ',', 'Network security: Minimum session security for NTLM SSP based (including - secure RPC) clients;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'), - ',', 'Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkSecurity\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"string\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"string\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network - security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network - security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue'', + ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), + '','', ''Network security: LAN Manager authentication level;ExpectedValue'', + ''='', parameters(''NetworkSecurityLANManagerAuthenticationLevel''), '','', + ''Network security: LDAP client signing requirements;ExpectedValue'', ''='', + parameters(''NetworkSecurityLDAPClientSigningRequirements''), '','', ''Network security: Minimum session security for NTLM SSP based (including secure RPC) - clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), + '','', ''Network security: Minimum session security for NTLM SSP based (including + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network - security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network - security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36e17963-7202-494a-80c3-f508211c826b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36fbe499-f2f2-41b6-880e-52d7ea1d94a5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft + Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Interactive Logon'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsInteractiveLogon\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3750712b-43d0-478e-9966-d2c26f6141b9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1624 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37d079e3-d6aa-4263-a069-dd7ac6dd9684\"},{\"properties\":{\"displayName\":\"Storage - accounts should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft + Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage + accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicStorage/storageAccounts\",\"Microsoft.Storage/StorageAccounts\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicStorage/storageAccounts\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37e0d2fe-28a5-43d6-a273-67d37d1f5606\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1335 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"382016f3-d4ba-4e15-9716-55077ec4dc2a\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in IoT Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft + Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic + logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Internet - of Things\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Devices/IotHubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"383856f8-de7f-44a2-81fc-e5135b5c2aa4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1081 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3867f2a9-23bb-4729-851f-c3ad98580caf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1522 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38b470cc-f939-4a15-80e0-9f0c74f2e2c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38dfd8a3-5290-4099-88b7-4081f4c4d8ae\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1397 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391af4ab-1117-46b9-b2c7-78bbd5cd995b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391ff8b3-afed-405e-9f7d-ef2f8168d5da\"},{\"properties\":{\"displayName\":\"Advanced + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft + Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft + Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address - to receive security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send alerts to' field in the Advanced - Data Security server settings. This email address receives alert notifications - when anomalous activities are detected on SQL managed instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1232 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"396ba986-eac1-4d6d-85c4-d3fda6b78272\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1246 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"398eb61e-8111-40d5-a0c9-003df28f1753\"},{\"properties\":{\"displayName\":\"FTPS - only should be required in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399b2637-a50f-4f95-96f8-3a145476eb15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1680 - Malicious Code Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399cd6ee-0e18-41db-9dea-cde3bd712f38\"},{\"properties\":{\"displayName\":\"Microsoft + to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send alerts to'' field in the + Advanced Data Security server settings. This email address receives alert + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft + Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft + Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS + only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft + Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"39c54140-5902-4079-8bb5-ad31936fe764\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1039 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1648 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a9eb14b-495a-4ebb-933c-ce4ef5264e32\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1315 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3aa87116-f1a1-4edb-bfbf-14e036f8d454\"},{\"properties\":{\"displayName\":\"[Preview]: - Pod Security Policies should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Define + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft + Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft + Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft + Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: + Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3abeb944-26af-43ee-b83d-32aaf060fb94\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1548 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3afe6c78-6124-4d95-b85c-eb8c0c9539cb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1003 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b68b179-3704-4ff7-b51d-7d65374d165d\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Security operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits specific Security operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Security Operation name for which activity log alert - should exist\"},\"allowedValues\":[\"Microsoft.Security/policies/write\",\"Microsoft.Security/securitySolutions/write\",\"Microsoft.Security/securitySolutions/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Security\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b980d31-7904-4bb7-8575-5665739a8052\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft + Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft + Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3be22e3b-d919-47aa-805e-8985dbeb0ad9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c1b3629-c8f8-4bf6-862c-037cb9094038\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in security configuration on your virtual machine scale sets should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities + in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OsVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1621 - Resource Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cb9f731-744a-4691-a481-ca77b0411538\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1521 - Personnel Termination | Automated Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1127 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3ce328db-aef3-48ed-9f81-2ab7cf839c66\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Search Services to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft + Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft + Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft + Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d5da587-71bd-41f5-ac95-dd3330c2d58d\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Devices'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d7b154e-2700-4c8c-9e46-cb65ac1578c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Deploy default Log Analytics Agent for Ubuntu VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d","type":"Microsoft.Authorization/policyDefinitions","name":"3d5da587-71bd-41f5-ac95-dd3330c2d58d"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Devices''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Devices''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Compute\",\"deprecated\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Log Analytics workspace\",\"description\":\"Select Log Analytics workspace - from dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\",\"16.04-LTS\",\"16.04.0-LTS\",\"14.04.2-LTS\",\"12.04.5-LTS\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/omsPolicy')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"type\":\"OmsAgentForLinux\",\"typeHandlerVersion\":\"1.4\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - monitoring for Linux VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1385 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e495e65-8663-49ca-9b38-9f45e800bc58\"},{\"properties\":{\"displayName\":\"Azure - Monitor solution 'Security and Audit' must be deployed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that Security and Audit is deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.OperationsManagement/solutions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.OperationsManagement/solutions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"name\",\"like\":\"Security(*)\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e596b57-105f-48a6-be97-03e9243bad6e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1160 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e797ca6-2aa8-4333-b335-7036f1110c05\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1545 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f4b171a-a56b-4328-8112-32cf7f947ee1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1179 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft + Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure + Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft + Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft + Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft + Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fe37002-5d00-4b37-a301-da09e3a0ca66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1561 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40364c3f-c331-4e29-b1e3-2fbe998ba2f5\"},{\"properties\":{\"displayName\":\"Secure - transfer to storage accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure + transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"404c3081-a854-4457-ae30-26a93ef643f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1100 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4057863c-ca7d-47eb-b1e0-503580cba8a4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1637 - Boundary Protection | Fail Secure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4075bedc-c62a-4635-bede-a01be89807f3\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft + Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft + Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - System'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AlwaysUseClassicLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always use classic logon\",\"description\":\"Specifies whether to force the - user to log on to the computer using the classic logon screen. This setting - only works when the computer is not on a domain.\"},\"defaultValue\":\"0\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Boot-Start Driver Initialization Policy\",\"description\":\"Specifies which - boot-start drivers are initialized based on a classification determined by - an Early Launch Antimalware boot-start driver.\"},\"defaultValue\":\"3\"},\"EnableWindowsNTPClient\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enable Windows NTP Client\",\"description\":\"Specifies whether the Windows - NTP Client is enabled. Enabling the Windows NTP Client allows your computer - to synchronize its computer clock with other NTP servers.\"},\"defaultValue\":\"1\"},\"TurnOnConveniencePINSignin\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn on convenience PIN sign-in\",\"description\":\"Specifies whether a domain - user can sign in using a convenience PIN.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Always - use classic logon;ExpectedValue', '=', parameters('AlwaysUseClassicLogon'), - ',', 'Boot-Start Driver Initialization Policy;ExpectedValue', '=', parameters('BootStartDriverInitializationPolicy'), - ',', 'Enable Windows NTP Client;ExpectedValue', '=', parameters('EnableWindowsNTPClient'), - ',', 'Turn on convenience PIN sign-in;ExpectedValue', '=', parameters('TurnOnConveniencePINSignin')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesSystem\"},\"AlwaysUseClassicLogon\":{\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},\"BootStartDriverInitializationPolicy\":{\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},\"EnableWindowsNTPClient\":{\"value\":\"[parameters('EnableWindowsNTPClient')]\"},\"TurnOnConveniencePINSignin\":{\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AlwaysUseClassicLogon\":{\"type\":\"string\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"string\"},\"EnableWindowsNTPClient\":{\"type\":\"string\"},\"TurnOnConveniencePINSignin\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always - use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start - Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable - Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn - on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always - use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start - Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable - Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn - on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40917425-69db-4018-8dae-2a0556cef899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1202 - Access Restrictions For Change\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40a2a83b-74f2-4c02-ae65-f460a5d2792a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1438 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40fcc635-52a2-4dbc-9523-80a1f4aa1de6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1365 - Incident Handling | Continuity Of Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4116891d-72f7-46ee-911c-8056cc8dcbd5\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), + '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), + '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft + Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft + Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft + Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential - Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"411f7e2d-9a0b-4627-a0b9-1700432db47d\"},{\"properties\":{\"displayName\":\"Microsoft + Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance - Equipment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41256567-1795-4684-b00b-a1308ce43cac\"},{\"properties\":{\"displayName\":\"Azure - Monitor should collect activity logs from all regions\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure + Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiasoutheast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"brazilsouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francesouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japaneast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japanwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreasouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricanorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricawest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southeastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaenorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uksouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"ukwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"global\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1263 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41472613-3b05-49f6-8fe8-525af113ce17\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1096 - Role-Based Security Training | Practical Exercises\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"420c1477-aa43-49d0-bd7e-c4abdd9addff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1260 - Contingency Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42254fc4-2738-4128-9613-72aaa4f0d9c3\"},{\"properties\":{\"displayName\":\"Microsoft + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft + Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft + Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft + Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications - Traffic Anomalies\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"426c4ac9-ff17-49d0-acd7-a13c157081c0\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Batch accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic + logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"428256e6-1fac-4f48-a757-df34c2b3336d\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Detailed Tracking'. It also creates a system-assigned managed identity and - deploys the VM extension for Guest Configuration. This policy should only + with non-compliant settings in Group Policy category: ''System Audit Policies + - Detailed Tracking''. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditProcessTermination\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Process Termination\",\"description\":\"Specifies whether audit events - are generated when a process has exited. Recommended for monitoring termination - of critical processes.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Process Termination;ExpectedValue', '=', parameters('AuditProcessTermination')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\"},\"AuditProcessTermination\":{\"value\":\"[parameters('AuditProcessTermination')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditProcessTermination\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a07bbf-ffcf-459a-b4b1-30ecd118a505\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1174 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a9a714-8fbb-43ac-b115-ea12d2bd652f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1137 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4344df62-88ab-4637-b97b-bcaf2ec97e7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"435b2547-6374-4f87-b42d-6e8dbe6ae62a\"},{\"properties\":{\"displayName\":\"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft + Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft + Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft + Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior - To New Scan / When Identified\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43684572-e4f1-4642-af35-6b933bc506da\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - System settings'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + with non-compliant settings in Group Policy category: ''Security Options - + System settings''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: System settings: Use Certificate Rules on Windows Executables for Software - Restriction Policies\",\"description\":\"Specifies whether digital certificates + Restriction Policies","description":"Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you - must enable this policy setting.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('System + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue', '=', parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemsettings\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"437a1f8f-8552-47a8-8b12-a2fee3269dd5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1544 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43ced7c9-cd53-456b-b0da-2522649a4271\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1398 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor permissive network access in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft + Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft + Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"permissiveNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44452482-524f-4bf4-b852-0bff7cc4a3ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1066 - Remote Access | Disconnect / Disable Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4455c2e8-c65d-4acf-895e-304916f90b36\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1720 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44b9a7cd-f36a-491a-a48b-6d04ae7c4221\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1334 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44bfdadc-8c2e-4c30-9c99-f005986fabcd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1604 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44dbba23-0b61-478e-89c7-b3084667782f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1712 - Software, Firmware, And Information Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44e543aa-41db-42aa-98eb-8a5eb1db53f0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1310 - Device Identification And Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"450d7ede-823d-4931-a99d-57f6a38807dc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1559 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45692294-f074-42bd-ac54-16f1a3c07554\"},{\"properties\":{\"displayName\":\"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft + Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft + Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft + Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft + Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft + Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft + Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols - / Services In Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45b7b644-5f91-498e-9d89-7402532d3645\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1565 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45ce2396-5c76-4654-9737-f8792ab3d26b\"},{\"properties\":{\"displayName\":\"Microsoft + / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft + Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party - Registration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"463e5220-3f79-4e24-a63f-343e4096cd22\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Require SQL Server version 12.0\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Registration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: + Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},{\"not\":{\"field\":\"Microsoft.Sql/servers/version\",\"equals\":\"12.0\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\"},{\"properties\":{\"displayName\":\"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational - Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dc8ce-2200-4720-87a5-dc5952924cc6\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46544d7b-1f0d-46f5-81da-5c1351de1b06\"},{\"properties\":{\"displayName\":\"Require - automatic OS image patching on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade\",\"notEquals\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade\",\"notEquals\":\"True\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f0161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1368 - Incident Handling | Correlation With External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f32da-0ace-4603-8d1b-7be5a3a702de\"},{\"properties\":{\"displayName\":\"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity - Using Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4708723f-e099-4af1-bbf9-b6df7642e444\"},{\"properties\":{\"displayName\":\"Automatic + Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your - subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable - automatic provisioning of the Log Analytics monitoring agent in order to collect - security data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/autoProvisioningSettings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/autoProvisioningSettings/autoProvision\",\"equals\":\"On\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"475aae12-b88a-4572-8b36-9b712b2b3a17\"},{\"properties\":{\"displayName\":\"Adaptive - Application Controls should be enabled on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible - Application Whitelist configuration will be monitored by Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"applicationWhitelisting\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47a6b606-51aa-4496-8bb7-64b11cf66adc\"},{\"properties\":{\"displayName\":\"Microsoft + subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic + provisioning of the Log Analytics monitoring agent in order to collect security + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive + Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related - Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47bc7ea0-7d13-4f7c-a154-b903f7194253\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1165 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47e10916-6c9e-446b-b0bd-ff5fd439d79d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1048 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"483e7ca9-82b3-45a2-be97-b93163a0deb7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1033 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48540f01-fc11-411a-b160-42807c68896e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1477 - Fire Protection | Detection Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4862a63c-6c74-4a9d-a221-89af3c374503\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1484 - Water Damage Protection | Automation Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"486b006a-3653-45e8-b41c-a052d3e05456\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft + Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft + Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft + Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft + Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48893b84-a2c8-4d9a-badf-835d5d1b7d53\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48af4db5-9b8b-401c-8e74-076be876a430\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1669 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48f2f62b-5743-4415-a143-288adc0e078d\"},{\"properties\":{\"displayName\":\"Microsoft + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft + Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External - Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"493a95f3-f2e3-47d0-af02-65e6d6decc2f\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"496223c3-ad65-4ecd-878a-bae78737e9ed\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Audit'. It also creates a system-assigned managed identity and deploys the + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''Security Options - + Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit: Shut down system immediately if unable to log security audits\",\"description\":\"Audits - if the system will shut down when unable to log Security events.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit: - Shut down system immediately if unable to log security audits;ExpectedValue', - '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAudit\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498b810c-59cd-4222-9338-352ba146ccf3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1329 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498f6234-3e20-4b6a-a880-cbd646d973bd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49b99653-32cd-405d-a135-e7d60a9aae1f\"},{\"properties\":{\"displayName\":\"Append - tag and its default value to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Appends + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + Shut down system immediately if unable to log security audits;ExpectedValue'', + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft + Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft + Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append + tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New - 'modify' effect policies are available that support remediation of tags on - existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\"},{\"properties\":{\"displayName\":\"Microsoft + ''modify'' effect policies are available that support remediation of tags + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage - Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49dbe627-2c1e-438c-979e-dd7a39bbf81d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1218 - Least Functionality | Prevent Program Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a1d0394-b9f5-493e-9e83-563fd0ac4df8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1677 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a248e1e-040f-43e5-bff2-afc3a57a3923\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1094 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4b1853e0-8973-446b-b567-09d901d31a09\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c090801-59bc-4454-bb33-e0455133486a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1364 - Incident Handling | Dynamic Reconfiguration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c615c2a-dc83-4dda-8220-abce7b50c9bc\"},{\"properties\":{\"displayName\":\"Microsoft + Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft + Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft + Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft + Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft + Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers - At Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c643c9a-1be7-4016-a5e7-e4bada052920\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1373 - Incident Reporting | Automated Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4cca950f-c3b7-492a-8e8f-ea39663c14f9\"},{\"properties\":{\"displayName\":\"Microsoft + At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft + Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote - Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ce9073a-77fa-48f0-96b1-87aa8e6091c2\"},{\"properties\":{\"displayName\":\"Deploy + Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that do not have the specified applications installed. It also creates a system-assigned + installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Linux virtual machines that + do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names\",\"description\":\"A semicolon-separated list of the names of the applications - that should be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent', - '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), - ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d1c04de-2172-403f-901b-90608c35c721\"},{\"properties\":{\"displayName\":\"FTPS - should be required in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names","description":"A semicolon-separated list of the names of the applications + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', + '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS + should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External - System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d33f9f1-12d0-46ad-9fbd-8f8046694977\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1156 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d52e864-9a3b-41ee-8f03-520815fe5378\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1312 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d6a5968-9eef-4c18-8534-376790ab7274\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft + Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft + Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4daddf25-4823-43d4-88eb-2419eb6dcc08\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1394 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4db56f68-3f50-45ab-88f3-ca46f5379a94\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1702 - Information System Monitoring | Indicators Of Compromise\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4dfc0855-92c4-4641-b155-a55ddd962362\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1001 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e26f8c3-4bf3-4191-b8fc-d888805101b7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1083 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e319cb6-2ca3-4a58-ad75-e67f484e50ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1247 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e666db5-b2ef-4b06-aac6-09bfce49151b\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft + Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft + Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft + Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft + Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft + Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\"},{\"properties\":{\"displayName\":\"Microsoft + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset - Of Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e95f70e-181c-4422-9da2-43079710c789\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1267 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e97ba1d-be5d-4953-8da4-0cccf28f4805\"},{\"properties\":{\"displayName\":\"Microsoft + Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft + Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ebd97f7-b105-4f50-8daf-c51465991240\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1139 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ed62522-de00-4dda-9810-5205733d2f34\"},{\"properties\":{\"displayName\":\"A - maximum of 3 owners should be designated for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft + Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A + maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateLessThanXOwners\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f11b553-d42e-4e3a-89be-32ca364cad4c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1442 - Media Sanitization | Nondestructive Techniques\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f26049b-2c5a-4841-9ff3-d48a26aae475\"},{\"properties\":{\"displayName\":\"Microsoft + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft + Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, - Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f34f554-da4b-4786-8d66-7915c90893da\"},{\"properties\":{\"displayName\":\"A - security contact email address should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A + security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/email\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\"},{\"properties\":{\"displayName\":\"Add - a tag to resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add + a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f9dc7db-30c1-420c-b61a-e1d640128d26\"},{\"properties\":{\"displayName\":\"[Preview] - Vulnerability Assessment should be enabled on Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] + Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"serverVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"NotApplicable\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"501541f7-f7e7-4cd6-868c-4190fdad3ac9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1485 - Delivery And Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50301354-95d0-4a11-8af5-8039ecf6d38b\"},{\"properties\":{\"displayName\":\"Microsoft + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft + Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric - Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"506814fa-b930-4b10-894e-a45b98c40e1a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1566 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50ad3724-e2ac-4716-afcc-d8eabd97adb9\"},{\"properties\":{\"displayName\":\"A + Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft + Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway - connections\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that all Azure virtual network gateway connections use a custom - Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported - algorithms and key strengths - https://aka.ms/AA62kb0\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"IPsecEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec - Encryption\",\"description\":\"IPsec Encryption\"}},\"IPsecIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec - Integrity\",\"description\":\"IPsec Integrity\"}},\"IKEEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE - Encryption\",\"description\":\"IKE Encryption\"}},\"IKEIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE - Integrity\",\"description\":\"IKE Integrity\"}},\"DHGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"DH - Group\",\"description\":\"DH Group\"}},\"PFSGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"PFS - Group\",\"description\":\"PFS Group\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/connections\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption\",\"notIn\":\"[parameters('IPsecEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity\",\"notIn\":\"[parameters('IPsecIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption\",\"notIn\":\"[parameters('IKEEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity\",\"notIn\":\"[parameters('IKEIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].dhGroup\",\"notIn\":\"[parameters('DHGroup')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup\",\"notIn\":\"[parameters('PFSGroup')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50b83b09-03da-41c1-b656-c293c914862b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1248 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50fc602d-d8e0-444b-a039-ad138ee5deb0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1386 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5120193e-91fd-4f9d-bc6d-194f94734065\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1352 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"518cb545-bfa8-43f8-a108-3b7d5037469a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1642 - Network Disconnect\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53397227-5ee3-4b23-9e5e-c8a767ce6928\"},{\"properties\":{\"displayName\":\"Connection - throttling should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + connections","policyType":"BuiltIn","mode":"All","description":"This policy + ensures that all Azure virtual network gateway connections use a custom Internet + Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec + Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec + Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE + Encryption","description":"IKE Encryption"}},"IKEIntegrity":{"type":"Array","metadata":{"displayName":"IKE + Integrity","description":"IKE Integrity"}},"DHGroup":{"type":"Array","metadata":{"displayName":"DH + Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS + Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft + Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft + Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft + Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft + Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection + throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"connection_throttling\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5345bb39-67dc-4960-a1bf-427e16b9a0bd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1467 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5350cbf9-8bdd-4904-b22a-e88be84ca49d\"},{\"properties\":{\"displayName\":\"Microsoft + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft + Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, - Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5352e3e0-e63a-452e-9e5f-9c1d181cff9c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1029 - Information Flow Enforcement | Security Policy Filters\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53c76a39-2097-408a-b237-b279f7b4614d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1040 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"54205576-cec9-463f-ba44-b4b3f5d0a84c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1015 - Account Management | Disable Inactive Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"544a208a-9c3f-40bc-b1d1-d7e144495c14\"},{\"properties\":{\"displayName\":\"Microsoft + Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft + Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft + Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft + Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft + Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk - Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"55419419-c597-4cd4-b51e-009fd2266783\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1045 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1523 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5577a310-2551-49c8-803b-36e0d5e55601\"},{\"properties\":{\"displayName\":\"Microsoft + Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft + Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft + Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage - Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"562afd61-56be-4313-8fe4-b9564aa4ba7d\"},{\"properties\":{\"displayName\":\"Microsoft + Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management - / Application / Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"56d970ee-4efc-49c8-8a4e-5916940d784c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"57149289-d52b-4f40-9fe6-5233c1ef80f7\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft + Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5744710e-cc2f-4ee8-8809-3b11e89f4bc9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1162 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1054 - Session Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5807e1b4-ba5e-4718-8689-a0ca05a191b2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1584 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5864522b-ff1d-4979-a9f8-58bee1fb174c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1547 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1573 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58c93053-7b98-4cf0-b99f-1beb985416c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Ensure Function app is using the latest version of TLS encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft + Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft + Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft + Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft + Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft + Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: + Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58d94fc1-a072-47c2-bd37-9cdb38e77453\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1063 - Remote Access | Managed Access Control Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"593ce201-54b2-4dd0-b34f-c308005d7780\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1463 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"59721f87-ae25-4db0-a2a4-77cc5b25d495\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1425 - Timely Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5983d99c-f39b-4c32-a3dc-170f19f6941b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1512 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5a8324ad-f599-429b-aaed-f9c6e8c987a8\"},{\"properties\":{\"displayName\":\"[Preview]: + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft + Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft + Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age - of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have a minimum password age - of 1 day. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa11bbc-5c76-4302-80e5-aba46a4282e7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1032 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa85661-d618-46b8-a20f-ca40a86f0751\"},{\"properties\":{\"displayName\":\"[Preview]: + of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have a minimum password age of 1 day. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password - length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aebc8d1-020d-4037-89a0-02043a7524ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1555 - Vulnerability Scanning | Privileged Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5afa8cab-1ed7-4e40-884c-64e0ac2059cc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1205 - Access Restrictions For Change | Signed Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b070cab-0fb8-4e48-ad29-fc90b4c2797c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1005 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b626abc-26d4-4e22-9de8-3831818526b1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1105 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b73f57b-587d-4470-a344-0b0ae805f459\"},{\"properties\":{\"displayName\":\"Show - audit results from Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft + Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft + Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft + Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show + audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b842acb-0fe7-41b0-9f40-880ec4ad84d8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1433 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b879b41-2728-41c5-ad24-9ee2c37cbe65\"},{\"properties\":{\"displayName\":\"Ensure - WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb220d9-2698-4ee4-8404-b9c30c9df609\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure + WEB app has ''Client Certificates (Incoming client certificates)'' set to + ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection - status does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + status does not match the specified one","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"host\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Remote Host Name\",\"description\":\"Specifies the Domain Name System (DNS) - name or IP address of the remote host machine.\"}},\"port\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Port\",\"description\":\"The TCP port number on the remote host name.\"}},\"shouldConnect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Should connect to remote host\",\"description\":\"Must be 'True' or 'False'. - 'True' indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. 'False' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection.\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsRemoteConnection]WindowsRemoteConnection1;host', - '=', parameters('host'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;port', - '=', parameters('port'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect', - '=', parameters('shouldConnect')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsRemoteConnection\"},\"host\":{\"value\":\"[parameters('host')]\"},\"port\":{\"value\":\"[parameters('port')]\"},\"shouldConnect\":{\"value\":\"[parameters('shouldConnect')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"host\":{\"type\":\"string\"},\"port\":{\"type\":\"string\"},\"shouldConnect\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb36dda-8a78-4df9-affd-4f05a8612a8a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1551 - Vulnerability Scanning | Update Tool Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bbda922-0172-4095-89e6-5b4a0bf03af7\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', + ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', + ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft + Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Network Security''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Network Security'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c028d2a-1889-45f6-b821-31f42711ced8\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + category: ''Security Options - Network Security''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1671 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5bbef7-a316-415b-9b38-29753ce8e698\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1067 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5e54f6-0127-44d0-8b61-f31dc8dd6190\"},{\"properties\":{\"displayName\":\"External - accounts with write permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft + Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft + Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External + accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c607a2e-c700-4744-8254-d77e7c9eb5e4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1483 - Water Damage Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5cb81060-3c8a-4968-bcdc-395a1801f6c1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1362 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5d169442-d6ef-439b-8dca-46c2c3248214\"},{\"properties\":{\"displayName\":\"Microsoft + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft + Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft + Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency - Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5dee936c-8037-4df1-ab35-6635733da48c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1665 - Process Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df3a55c-8456-44d4-941e-175f79332512\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Function App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft + Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: + Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForFunctionApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df82f4f-773a-4a2d-97a2-422a806f1a55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1251 - Contingency Plan | Coordinate With Related Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e2b3730-8c14-4081-8893-19dbb5de7348\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\"},{\"properties\":{\"displayName\":\"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have the specified applications - installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e393799-e3ca-4e43-a9a5-0ec4648a57d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1116 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e47bc51-35d1-44b8-92af-e2f2d8b67635\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1208 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ea87673-d06b-456f-a324-8abcee5c159f\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in India data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + installed","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have the specified applications installed. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft + Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"westindia\",\"southindia\",\"centralindia\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\"},{\"properties\":{\"displayName\":\"Microsoft + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information - For Security Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f18c885-ade3-48c5-80b1-8f9216019c18\"},{\"properties\":{\"displayName\":\"External - accounts with read permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External + accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f76cf89-fbf2-47fd-a3f4-b891fa780b60\"},{\"properties\":{\"displayName\":\"Add - or replace a tag on resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add + or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ffd78d9-436d-4b41-a421-5baa819e3008\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1663 - Protection Of Information At Rest\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60171210-6dde-40af-a144-bf2670518bfa\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft + Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Object Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Object Access'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60aeaf73-a074-417a-905f-7ce9df0ff77b\"},{\"properties\":{\"displayName\":\"Storage - Accounts should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''System Audit Policies - Object Access''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60d21c4f-21a3-4d94-85f4-b924e6aeeda4\"},{\"properties\":{\"displayName\":\"Show + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication - protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows web servers that are not using secure communication protocols - (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60ffe3e2-4604-4460-8f22-0f1da058266c\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Data Security on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + protocols","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + web servers that are not using secure communication protocols (TLS 1.1 or + TLS 1.2). For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a 'sqlva' prefix.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"serverResourceGroupName\":\"[resourceGroup().name]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), - variables('serverResourceGroupName'), parameters('location'))]\",\"storageName\":\"[tolower(concat('sqlva', - variables('uniqueStorage')))]\"},\"resources\":[{\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[variables('storageName')]\",\"apiVersion\":\"2019-04-01\",\"location\":\"[parameters('location')]\",\"sku\":{\"name\":\"Standard_LRS\"},\"kind\":\"StorageV2\",\"properties\":{}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"apiVersion\":\"2018-06-01-preview\",\"properties\":{\"storageContainerPath\":\"[concat(reference(resourceId('Microsoft.Storage/storageAccounts', - variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]\",\"storageAccountAccessKey\":\"[listKeys(resourceId('Microsoft.Storage/storageAccounts', - variables('storageName')), '2018-02-01').keys[0].value]\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true,\"emails\":[]}},\"dependsOn\":[\"[concat('Microsoft.Storage/storageAccounts/', - variables('storageName'))]\",\"[concat('Microsoft.Sql/servers/', parameters('serverName'), - '/securityAlertPolicies/Default')]\"]}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6134c3db-786f-471e-87bc-8f479dc890f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Configure time zone on Windows machines.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', + variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/vulnerabilityAssessments","apiVersion":"2018-06-01-preview","properties":{"storageContainerPath":"[concat(reference(resourceId(''Microsoft.Storage/storageAccounts'', + variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', + variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', + variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Time zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) - International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) - Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) - Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja - California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific - Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, - Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central - America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter - Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) - Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) - Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) - Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) - Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) - Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) - Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) - Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos - Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) - Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) - Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) - Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) - Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) - Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, - Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, - Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) - Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) - Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) - Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, - Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, - Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) - Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) - Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) - Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) - Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) - Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) - Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) - Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) - Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) - Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) - Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) - Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, - Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) - Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong - Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) - Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) - Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) - Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) - Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, - Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) - Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) - Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) - Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) - Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) - Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham - Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) - Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"SetWindowsTimeZone\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', - '=', parameters('TimeZone')))]\"},{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"SetWindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6141c932-9384-44c6-a395-59e4c057d7c9\"},{\"properties\":{\"displayName\":\"Service - Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Service + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) + Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) + Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) + Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) + Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time + (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US + & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, + Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio + Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) + Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks + and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) + Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San + Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) + Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) + Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) + Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated + Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) + Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, + Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) + Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) + Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, + Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) + West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) + Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) + Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, + Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) + Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) + Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, + St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu + Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) + Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) + Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) + Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) + Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) + Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) + Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, + Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) + Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, + Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, + Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) + Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) + Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) + Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) + Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) + Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) + Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) + Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) + Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) + Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) + Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9","type":"Microsoft.Authorization/policyDefinitions","name":"6141c932-9384-44c6-a395-59e4c057d7c9"},{"properties":{"displayName":"Service + Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","policyType":"BuiltIn","mode":"Indexed","description":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service - Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].name\",\"notEquals\":\"Security\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name\",\"notEquals\":\"ClusterProtectionLevel\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value\",\"notEquals\":\"EncryptAndSign\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"617c02be-7f02-4efd-8836-3180d47b6c68\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1110 - Audit Storage Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1415 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61a1dd98-b259-4840-abd5-fbba7ee0da83\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1153 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61cf3125-142c-4754-8a16-41ab4d529635\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft + Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft + Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + System objects''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - System objects'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"620e58b5-ac75-49b4-993f-a9d4f0459636\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"62b638c5-29d7-404b-8d93-f21e4b1ce198\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1660 - Session Authenticity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63096613-ce83-43e5-96f4-e588e8813554\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1002 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"632024c2-8079-439d-a7f6-90af1d78cc65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1498 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"633988b9-cf2f-4323-8394-f0d2af9cd6e1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1177 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1185 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6420cd73-b939-43b7-9d99-e8688fea053c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Devices'. It also creates a system-assigned managed identity and deploys the - VM extension for Guest Configuration. This policy should only be used along - with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Devices: Allowed to format and eject removable media\",\"description\":\"Specifies + category: ''Security Options - System objects''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft + Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft + Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft + Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft + Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''Security Options - + Devices''. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer - to access it on another computer on which they have local administrator privileges.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Devices: - Allowed to format and eject removable media;ExpectedValue', '=', parameters('DevicesAllowedToFormatAndEjectRemovableMedia')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsDevices\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: - Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: - Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6481cc21-ed6e-4480-99dd-ea7c5222e897\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1441 - Media Sanitization | Equipment Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6519d7f3-e8a2-4ff3-a935-9a9497152ad7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65592b16-4367-42c5-a26e-d371be450e17\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit missing blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft + Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft + Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: + Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"655cb504-bcee-4362-bd4c-402e6aa38759\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1261 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65aeceb5-a59c-4cb1-8d82-9c474be5d431\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"664346d9-be92-43fb-a219-d595eeb76a90\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1444 - Media Use | Prohibit Use Without Owner\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"666143df-f5e0-45bd-b554-135f0f93e44e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1319 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"66f7ae57-5560-4fc5-85c9-659f204e7a42\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1628 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"67de62b4-a737-4781-8861-3baed3c35069\"},{\"properties\":{\"displayName\":\"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft + Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft + Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External - Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68434bd1-e14b-4031-9edb-a4adf5f84a67\"},{\"properties\":{\"displayName\":\"[Preview]: + Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent - is not connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Connected workspace IDs\",\"description\":\"A semicolon-separated list of - the workspace IDs that the Log Analytics agent should be connected to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId', - '=', parameters('WorkspaceId')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsLogAnalyticsAgentConnection\"},\"WorkspaceId\":{\"value\":\"[parameters('WorkspaceId')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WorkspaceId\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68511db2-bd02-41c4-ae6b-1900a012968a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1597 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68b250ec-2e4f-4eee-898a-117a9fda7016\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1588 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68ebae26-e0e0-4ecb-8379-aabf633b51e9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1070 - Wireless Access | Disable Wireless Networking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68f837d0-8942-4b1e-9b31-be78b247bda8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1727 - Memory Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"697175a7-9715-4e89-b98b-c6f605888fa3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1652 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6998e84a-2d29-4e10-8962-76754d4f772d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1699 - Information System Monitoring | Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69c7bee8-bc19-4129-a51e-65a7b39d3e7c\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft + Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft + Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft + Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft + Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft + Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft + Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69d2a238-20ab-4206-a6dc-f302bf88b1b8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1244 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a13a8f8-c163-4b1b-8554-d63569dab937\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1019 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a3ee9b2-3977-459c-b8ce-2db583abd9f7\"},{\"properties\":{\"displayName\":\"[Preview]: + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft + Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft + Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit - Guard is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NotAvailableMachineState\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: State in which to show VMs on which Windows Defender Exploit Guard is not - available\",\"description\":\"Windows Defender Exploit Guard is only available + available","description":"Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value - to 'Non-Compliant' will make machines with older versions on which Windows + to ''Non-Compliant'' will make machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. - Setting this value to 'Compliant' will make these machines compliant.\"},\"allowedValues\":[\"Compliant\",\"Non-Compliant\"],\"defaultValue\":\"Non-Compliant\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState', - '=', parameters('NotAvailableMachineState')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDefenderExploitGuard\"},\"NotAvailableMachineState\":{\"value\":\"[parameters('NotAvailableMachineState')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NotAvailableMachineState\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","type":"Microsoft.Authorization/policyDefinitions","name":"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8450e2-6c61-43b4-be65-62e3a197bffe\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1211 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8b9dc8-6b00-4701-aa96-bba3277ebf50\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Ensure WEB app is using the latest version of TLS encryption \",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: + Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ad61431-88ce-4357-a0e1-6da43f292bd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1653 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\"},{\"properties\":{\"displayName\":\"Deprecated - accounts should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated + accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1cbf55-e8b6-442f-ba4c-7246b6381474\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Service Bus to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b51af03-9277-49a9-a3f8-1c69c9ff7403\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1031 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b93a801-fe25-4574-a60d-cb22acffae00\"},{\"properties\":{\"displayName\":\"Not - allowed resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft + Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not + allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesNotAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of resource types that cannot be deployed.\",\"displayName\":\"Not allowed - resource types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesNotAllowed')]\"},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\"},{\"properties\":{\"displayName\":\"Microsoft + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + list of resource types that cannot be deployed.","displayName":"Not allowed + resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password - Strength Determination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c59a207-6aed-41dc-83a2-e1ff66e4a4db\"},{\"properties\":{\"displayName\":\"Microsoft + Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local - Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1437 - Media Transport | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\"},{\"properties\":{\"displayName\":\"Microsoft + Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft + Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent - Or Team\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d4820bc-8b61-4982-9501-2123cb776c00\"},{\"properties\":{\"displayName\":\"Function - App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function + App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1643 - Cryptographic Key Establishment And Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8d492c-dd7a-46f7-a723-fa66a425b87c\"},{\"properties\":{\"displayName\":\"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft + Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability - / Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1175 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6dab4254-c30d-4bb7-ae99-1d21586c063c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1651 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6db63528-c9ba-491c-8a80-83e1e6977a50\"},{\"properties\":{\"displayName\":\"Email - notification for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft + Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft + Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email + notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertNotifications\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e2593d9-add6-4083-9c9b-4b7d2188c899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1586 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e3b2fbd-8f37-4766-a64d-3f37703dcb51\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1536 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e40d9de-2ad4-4cb5-8945-23143326a502\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1530 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e8f9566-29f1-49cd-b61f-f8628a3cf993\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1460 - Access Control For Output Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f3ce1bb-4f77-4695-8355-70b08d54fdda\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1320 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f54c732-71d4-4f93-a696-4e373eca3a77\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdb9205-3462-4cfc-87d8-16c7860b53f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1141 - Audit Generation | Changes By Authorized Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdefbf4-93e7-4513-bc95-c1858b7093e0\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft + Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft + Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft + Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft + Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft + Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Microsoft Network Server'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + category: ''Security Options - Microsoft Network Server''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7008174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Windows Components'. + with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Send file samples when further analysis is required\",\"description\":\"Specifies - whether and how Windows Defender will submit samples of suspected malware - \ to Microsoft for further analysis when opt-in for MAPS telemetry is set.\"},\"defaultValue\":\"1\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow indexing of encrypted files\",\"description\":\"Specifies whether encrypted - items are allowed to be indexed.\"},\"defaultValue\":\"0\"},\"AllowTelemetry\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow Telemetry\",\"description\":\"Specifies configuration of the amount - of diagnostic and usage data reported to Microsoft. The data is transmitted - securely and sensitive data is not sent.\"},\"defaultValue\":\"2\"},\"AllowUnencryptedTraffic\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow unencrypted traffic\",\"description\":\"Specifies whether the Windows - Remote Management (WinRM) service sends and receives unencrypted messages - over the network.\"},\"defaultValue\":\"0\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always install with elevated privileges\",\"description\":\"Specifies whether + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic + and usage data reported to Microsoft. The data is transmitted securely and + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether Windows Installer should use system permissions when it installs any program - on the system.\"},\"defaultValue\":\"0\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always prompt for password upon connection\",\"description\":\"Specifies whether + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer - for a password upon connection.\"},\"defaultValue\":\"1\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Application: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Application event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Automatically send memory dumps for OS-generated error reports\",\"description\":\"Specifies + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically.\"},\"defaultValue\":\"1\"},\"ConfigureDefaultConsent\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Configure Default consent\",\"description\":\"Specifies setting of the default - consent handling for error reports sent to Microsoft.\"},\"defaultValue\":\"4\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Configure Windows SmartScreen\",\"description\":\"Specifies how to manage - the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run - on PCs with this feature enabled.\"},\"defaultValue\":\"1\"},\"DisallowDigestAuthentication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Disallow Digest authentication\",\"description\":\"Specifies whether the Windows - Remote Management (WinRM) client will not use Digest authentication.\"},\"defaultValue\":\"0\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Disallow WinRM from storing RunAs credentials\",\"description\":\"Specifies - whether the Windows Remote Management (WinRM) service will not allow RunAs - credentials to be stored for any plug-ins.\"},\"defaultValue\":\"1\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Do not allow passwords to be saved\",\"description\":\"Specifies whether to - prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer.\"},\"defaultValue\":\"1\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Security: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Security event log in kilobytes.\"},\"defaultValue\":\"196608\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Set client connection encryption level\",\"description\":\"Specifies whether - to require the use of a specific encryption level to secure communications - between client computers and RD Session Host servers during Remote Desktop - Protocol (RDP) connections. This policy only applies when you are using native - RDP encryption.\"},\"defaultValue\":\"3\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Set the default behavior for AutoRun\",\"description\":\"Specifies the default + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent + Remote Desktop Services - Terminal Services clients from saving passwords + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines.\"},\"defaultValue\":\"1\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Setup: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Setup event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - System: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the System event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn off Data Execution Prevention for Explorer\",\"description\":\"Specifies + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer.\"},\"defaultValue\":\"0\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Specify the interval to check for definition updates\",\"description\":\"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies an interval at which to check for Windows Defender definition updates. The - time value is represented as the number of hours between update checks.\"},\"defaultValue\":\"8\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Send - file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), - ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), - ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', - 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), - ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), - ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), - ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', - '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically - send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), - ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), - ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), - ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), - ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), - ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), - ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', - parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection - encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), - ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), - ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), - ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', - parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution - Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), - ',', 'Specify the interval to check for definition updates;ExpectedValue', - '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsComponents\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},\"AllowIndexingOfEncryptedFiles\":{\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},\"AllowTelemetry\":{\"value\":\"[parameters('AllowTelemetry')]\"},\"AllowUnencryptedTraffic\":{\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},\"AlwaysInstallWithElevatedPrivileges\":{\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},\"AlwaysPromptForPasswordUponConnection\":{\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},\"ConfigureDefaultConsent\":{\"value\":\"[parameters('ConfigureDefaultConsent')]\"},\"ConfigureWindowsSmartScreen\":{\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},\"DisallowDigestAuthentication\":{\"value\":\"[parameters('DisallowDigestAuthentication')]\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},\"DoNotAllowPasswordsToBeSaved\":{\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},\"SetClientConnectionEncryptionLevel\":{\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},\"SetTheDefaultBehaviorForAutoRun\":{\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"string\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"string\"},\"AllowTelemetry\":{\"type\":\"string\"},\"AllowUnencryptedTraffic\":{\"type\":\"string\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"string\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"string\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"string\"},\"ConfigureDefaultConsent\":{\"type\":\"string\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"string\"},\"DisallowDigestAuthentication\":{\"type\":\"string\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"string\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"string\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"string\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"string\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"string\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send - file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow - indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow - Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow - unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always - install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always - prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically - send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure - Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure - Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow - Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow - WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do - not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set - client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set - the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn - off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify - the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send - file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow - indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow - Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow - unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always - install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always - prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically - send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure - Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure - Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow - Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow - WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do - not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set - client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set - the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn - off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify - the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7040a231-fb65-4412-8c0a-b365f4866c24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"704e136a-4fe0-427c-b829-cd69957f5d2b\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - System'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7066131b-61a6-4917-a7e4-72e8983f0aa6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1509 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70792197-9bfc-4813-905a-bd33993e327f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1541 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70f6af82-7be6-44aa-9b15-8b9231b2e434\"},{\"properties\":{\"displayName\":\"Microsoft + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), + '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), + '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), + '','', ''Allow unencrypted traffic;ExpectedValue'', ''='', parameters(''AllowUnencryptedTraffic''), + '','', ''Always install with elevated privileges;ExpectedValue'', ''='', parameters(''AlwaysInstallWithElevatedPrivileges''), + '','', ''Always prompt for password upon connection;ExpectedValue'', ''='', + parameters(''AlwaysPromptForPasswordUponConnection''), '','', ''Application: + Specify the maximum log file size (KB);ExpectedValue'', ''='', parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB''), + '','', ''Automatically send memory dumps for OS-generated error reports;ExpectedValue'', + ''='', parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports''), + '','', ''Configure Default consent;ExpectedValue'', ''='', parameters(''ConfigureDefaultConsent''), + '','', ''Configure Windows SmartScreen;ExpectedValue'', ''='', parameters(''ConfigureWindowsSmartScreen''), + '','', ''Disallow Digest authentication;ExpectedValue'', ''='', parameters(''DisallowDigestAuthentication''), + '','', ''Disallow WinRM from storing RunAs credentials;ExpectedValue'', ''='', + parameters(''DisallowWinRMFromStoringRunAsCredentials''), '','', ''Do not + allow passwords to be saved;ExpectedValue'', ''='', parameters(''DoNotAllowPasswordsToBeSaved''), + '','', ''Security: Specify the maximum log file size (KB);ExpectedValue'', + ''='', parameters(''SecuritySpecifyTheMaximumLogFileSizeKB''), '','', ''Set + client connection encryption level;ExpectedValue'', ''='', parameters(''SetClientConnectionEncryptionLevel''), + '','', ''Set the default behavior for AutoRun;ExpectedValue'', ''='', parameters(''SetTheDefaultBehaviorForAutoRun''), + '','', ''Setup: Specify the maximum log file size (KB);ExpectedValue'', ''='', + parameters(''SetupSpecifyTheMaximumLogFileSizeKB''), '','', ''System: Specify + the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), + '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', + ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft + Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - System''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''System + Audit Policies - System''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft + Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For - Real-Time Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71475fb4-49bd-450b-a1a5-f63894c24725\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1481 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"717a1c78-a267-4f56-ac58-ee6c54dc4339\"},{\"properties\":{\"displayName\":\"Microsoft + Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft + Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time - Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71bb965d-4047-4623-afd4-b8189a58df5d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1395 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7207a023-a517-41c5-9df2-09d4c6845a05\"},{\"properties\":{\"displayName\":\"[Preview]: + Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft + Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not - compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows VMs on which the Desired State Configuration (DSC) configuration - is not compliant. This policy is only applicable to machines with WMF 4 and - above. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7227ebe5-9ff7-47ab-b823-171cd02fb90f\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - Network'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7229bd6a-693d-478a-87f0-1dc1af06f3b8\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + compliant","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + VMs on which the Desired State Configuration (DSC) configuration is not compliant. + This policy is only applicable to machines with WMF 4 and above. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - Network''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Administrative + Templates - Network''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7238174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the WEB app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7238174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the WEB app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7261b898-8a84-4db8-9e04-18527132abb3\"},{\"properties\":{\"displayName\":\"[Preview]: + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","type":"Microsoft.Authorization/policyDefinitions","name":"7261b898-8a84-4db8-9e04-18527132abb3"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous - 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + 24 passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"EnforcePasswordHistory\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726671ac-c4de-4908-8c7d-6043ae62e3b6\"},{\"properties\":{\"displayName\":\"Add - a tag to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","type":"Microsoft.Authorization/policyDefinitions","name":"726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"properties":{"displayName":"Add + a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726aca4c-86e9-4b04-b0c5-073027359532\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1524 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"72f1cb4e-2439-4fe8-88ea-b8671ce3c268\"},{\"properties\":{\"displayName\":\"Microsoft + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft + Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized - Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"731856d8-1598-4b75-92de-7d46235747c0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1101 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7327b708-f0e0-457d-9d2a-527fcc9c9a65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1456 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"733ba9e3-9e7c-440a-a7aa-6196a90a2870\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1581 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"742b549b-7a25-465f-b83c-ea1ffb4f4e0e\"},{\"properties\":{\"displayName\":\"Allowed - storage account SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft + Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft + Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft + Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed + storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of SKUs that can be specified for storage accounts.\",\"displayName\":\"Allowed - SKUs\",\"strongType\":\"StorageSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7433c107-6db4-4ad1-b57a-a76dce0154a1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + list of SKUs that can be specified for storage accounts.","displayName":"Allowed + SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft + Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74c3584d-afae-46f7-a20a-6f8adba71a16\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7522ed84-70d5-4181-afc0-21e50b1b6d0e\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit enabling of diagnostic logs in App Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft + Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites/config\"},{\"field\":\"name\",\"equals\":\"web\"},{\"anyOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"notEquals\":\"true\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"752c6934-9bcc-4749-b004-655e676ae2ac\"},{\"properties\":{\"displayName\":\"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance - / Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75603f96-80a1-4757-991d-5a1221765ddd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1053 - Session Lock | Pattern-Hiding Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7582b19c-9dba-438e-aed8-ede59ac35ba3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1459 - Access Control For Transmission Medium\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\"},{\"properties\":{\"displayName\":\"Vulnerabilities - should be remediated by a Vulnerability Assessment solution\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + / Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft + Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft + Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities + should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"vulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"760a85ff-6162-42b3-8d70-698e268f648c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"765266ab-e40e-4c61-bcb2-5a5275d0b7c0\"},{\"properties\":{\"displayName\":\"Microsoft + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message - Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"769efd9b-3587-4e22-90ce-65ddcd5bd969\"},{\"properties\":{\"displayName\":\"Audit - delegation of scopes to a managing tenant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Lighthouse\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ManagedServices/registrationAssignments\"},{\"value\":\"true\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76bed37b-484f-430f-a009-fd7592dff818\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1058 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76e85d08-8fbb-4112-a1c1-93521e6a9254\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1508 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76f500cc-4bca-4583-bda1-6d084dc21086\"},{\"properties\":{\"displayName\":\"Microsoft + Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit + delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft + Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft + Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate - Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7741669e-d4f6-485a-83cb-e70ce7cbbc20\"},{\"properties\":{\"displayName\":\"Azure - subscriptions should have a log profile for Activity Log\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"field\":\"Microsoft.Insights/logProfiles/categories\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7796937f-307b-4598-941c-67d3a05ebfe7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1336 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"77f56280-e367-432a-a3b9-8ca2aa636a26\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1258 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7814506c-382c-4d33-a142-249dd4a0dbff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1178 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7818b8f4-47c6-441a-90ae-12ce04e99893\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1057 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78255758-6d45-4bf0-a005-7016bc03b13c\"},{\"properties\":{\"displayName\":\"Microsoft + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft + Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft + Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft + Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft + Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network - Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1010 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"784663a8-1eb0-418a-a98c-24d19bc1bb62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1216 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7894fe6a-f5cb-44c8-ba90-c3f254ff9484\"},{\"properties\":{\"displayName\":\"Microsoft + Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft + Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft + Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System - Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78e8e649-50f6-4fe3-99ac-fedc2e63b03f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1647 - Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"791cfc15-6974-42a0-9f4c-2d4b82f4a78c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1510 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79da5b09-0e7e-499e-adda-141b069c7998\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1384 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79fbc228-461c-4a45-9004-a865ca0728a7\"},{\"properties\":{\"displayName\":\"Deploy + Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft + Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft + Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft + Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console - is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"EMSPortNumber\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS - Port Number\",\"description\":\"An integer indicating the COM port to be used - for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"1\",\"2\",\"3\",\"4\"],\"defaultValue\":\"1\"},\"EMSBaudRate\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS - Baud Rate\",\"description\":\"An integer indicating the baud rate to be used + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"9600\",\"19200\",\"38400\",\"57600\",\"115200\"],\"defaultValue\":\"115200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber', - '=', parameters('EMSPortNumber'), ',', '[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate', - '=', parameters('EMSBaudRate')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsSerialConsole\"},\"EMSPortNumber\":{\"value\":\"[parameters('EMSPortNumber')]\"},\"EMSBaudRate\":{\"value\":\"[parameters('EMSBaudRate')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EMSPortNumber\":{\"type\":\"string\"},\"EMSBaudRate\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a031c68-d6ab-406e-a506-697a19c634b0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1093 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1708 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a1e2c88-13de-4959-8ee7-47e3d74f1f48\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1289 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a724864-956a-496c-b778-637cb1d762cf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1687 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a87fc7f-301e-49f3-ba2a-4d74f424fa97\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1061 - Remote Access | Automated Monitoring / Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ac22808-a2e8-41c4-9d46-429b50738914\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1492 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ad5f307-e045-46f7-8214-5bdb7e973737\"},{\"properties\":{\"displayName\":\"Microsoft + information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS + Baud Rate","description":"An integer indicating the baud rate to be used for + the Emergency Management Services (EMS) console redirection. For more information + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', + ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft + Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft + Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft + Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft + Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft + Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft + Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / - Mechanisms / Support Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7b694eed-7081-43c6-867c-41c76c961043\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Virtual Machine Scale Sets should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic + logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"IaaSDiagnostics\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Diagnostics\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"LinuxDiagnostic\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"in\":[\"Microsoft.OSTCExtensions\",\"Microsoft.Azure.Diagnostics\"]}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c1b1214-f927-48bf-8882-84f0af6588b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Require blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Storage\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1143 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c6de11b-5f51-4f7c-8d83-d2467c8a816e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1051 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1279 - Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\"},{\"properties\":{\"displayName\":\"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft + Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft + Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of - Planned Audit Record Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1201 - Security Impact Analysis | Separate Test Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7daef997-fdd3-461b-8807-a608a6dd70f1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1471 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7dd0e9ce-1772-41fb-a50a-99977071f916\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft + Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft + Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show + audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e56b49b-5990-4159-a734-511ea19b731c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1011 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e6a54f3-883f-43d5-87c4-172dfd64a1f5\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified - number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that have not restarted within the specified - number of days. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e84ba44-6d03-46fd-950e-5efa5a1112fa\"},{\"properties\":{\"displayName\":\"Microsoft + number of days","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that have not restarted within the specified number of days. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound - Communications Traffic\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ecda928-9df4-4dd7-8f44-641a91e470e8\"},{\"properties\":{\"displayName\":\"[Preview]: + Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity - setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordMustMeetComplexityRequirements\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f26a61b-a74d-467c-99cf-63644db144f7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1520 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f2c513b-eb16-463b-b469-c10e5fa94f0a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f37f71b-420f-49bf-9477-9c0196974ecf\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft + Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft + Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Privilege Use'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\"},{\"properties\":{\"displayName\":\"Audit - diagnostic setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - diagnostic setting for selected resource types\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfResourceTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - Types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypes')]\"},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f89b1eb-583c-429a-8828-af049802c1d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7fbfe680-6dbb-4037-963c-a621c5635902\"},{\"properties\":{\"displayName\":\"SQL + category: ''System Audit Policies - Privilege Use''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft + Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical - activities\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"The - AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, + activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups + property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"FAILED_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"BATCH_COMPLETED_GROUP\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ff426e2-515f-405a-91c8-4f2333442eb5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1703 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"804faf7d-b687-40f7-9f74-79e28adf4205\"},{\"properties\":{\"displayName\":\"Microsoft + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft + Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local - Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"80ca0a27-918a-4604-af9e-723a27ee51e8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1505 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"813a10a7-3943-4fe3-8678-00dc52db5490\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1614 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8154e3b3-cc52-40be-9407-7756581d71f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft + Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'User Rights Assignment'. + with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may access this computer from the network\",\"description\":\"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. - This does not include Remote Desktop Connection.\"},\"defaultValue\":\"Administrators, - Authenticated Users\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may log on locally\",\"description\":\"Specifies which - users or groups can interactively log on to the computer. Users who attempt - to log on via Remote Desktop Connection or IIS also require this user right.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may log on through Remote Desktop Services\",\"description\":\"Specifies + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, - Remote Desktop, or for Remote Assistance.\"},\"defaultValue\":\"Administrators, - Remote Desktop Users\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied access to this computer from the network\",\"description\":\"Specifies + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network.\"},\"defaultValue\":\"Guests\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may manage auditing and security log\",\"description\":\"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may back up files and directories\",\"description\":\"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may change the system time\",\"description\":\"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies which users and groups are permitted to change the time and date on the internal - clock of the computer.\"},\"defaultValue\":\"Administrators, LOCAL SERVICE\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may change the time zone\",\"description\":\"Specifies - which users and groups are permitted to change the time zone of the computer.\"},\"defaultValue\":\"Administrators, - LOCAL SERVICE\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may create a token object\",\"description\":\"Specifies - which users and groups are permitted to create an access token, which may - provide elevated rights to access sensitive data.\"},\"defaultValue\":\"No - One\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied logging on as a batch job\",\"description\":\"Specifies + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task).\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied logging on as a service\",\"description\":\"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied local logon\",\"description\":\"Specifies - which users and groups are explicitly not permitted to log on to the computer.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied log on through Remote Desktop Services\",\"description\":\"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client.\"},\"defaultValue\":\"Guests\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - User and groups that may force shutdown from a remote system\",\"description\":\"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network.\"},\"defaultValue\":\"Administrators\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that may restore files and directories\",\"description\":\"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that may shut down the system\",\"description\":\"Specifies - which users and groups who are logged on locally to the computers in your - environment are permitted to shut down the operating system with the Shut - Down command.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may take ownership of files or other objects\",\"description\":\"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user.\"},\"defaultValue\":\"Administrators\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Access - this computer from the network;ExpectedValue', '=', parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'), - ',', 'Allow log on locally;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnLocally'), - ',', 'Allow log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'), - ',', 'Deny access to this computer from the network;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'), - ',', 'Manage auditing and security log;ExpectedValue', '=', parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'), - ',', 'Back up files and directories;ExpectedValue', '=', parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'), - ',', 'Change the system time;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheSystemTime'), - ',', 'Change the time zone;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheTimeZone'), - ',', 'Create a token object;ExpectedValue', '=', parameters('UsersOrGroupsThatMayCreateATokenObject'), - ',', 'Deny log on as a batch job;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'), - ',', 'Deny log on as a service;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'), - ',', 'Deny log on locally;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLocalLogon'), - ',', 'Deny log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'), - ',', 'Force shutdown from a remote system;ExpectedValue', '=', parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'), - ',', 'Restore files and directories;ExpectedValue', '=', parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'), - ',', 'Shut down the system;ExpectedValue', '=', parameters('UsersAndGroupsThatMayShutDownTheSystem'), - ',', 'Take ownership of files or other objects;ExpectedValue', '=', parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_UserRightsAssignment\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"string\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"string\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"string\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"string\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"string\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access - this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny - access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage - auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back - up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change - the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change - the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create - a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny - log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny - log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force - shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore - files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut - down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take - ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access - this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny - access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage - auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back - up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change - the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change - the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create - a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny - log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny - log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force - shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore - files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut - down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take - ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"815dcc9f-6662-43f2-9a03-1b83e9876f24\"},{\"properties\":{\"displayName\":\"Microsoft + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), + '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), + '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', + parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices''), '','', + ''Deny access to this computer from the network;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork''), + '','', ''Manage auditing and security log;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog''), + '','', ''Back up files and directories;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories''), + '','', ''Change the system time;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayChangeTheSystemTime''), + '','', ''Change the time zone;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayChangeTheTimeZone''), + '','', ''Create a token object;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayCreateATokenObject''), + '','', ''Deny log on as a batch job;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob''), + '','', ''Deny log on as a service;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService''), + '','', ''Deny log on locally;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLocalLogon''), + '','', ''Deny log on through Remote Desktop Services;ExpectedValue'', ''='', + parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices''), + '','', ''Force shutdown from a remote system;ExpectedValue'', ''='', parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem''), + '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), + '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), + '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote - Access - Separate Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81817e1c-5347-48dd-965a-40159d008229\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1287 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"819dc6da-289d-476e-8500-7e341ef8677d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81f11e32-a293-4a58-82cd-134af52e2318\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for MySQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82339799-d096-41ae-8538-b108becf0970\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1168 - Continuous Monitoring | Independent Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82409f9e-1f32-4775-bf07-b99d53a91b06\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1448 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"825d6494-e583-42f2-a3f2-6458e6f0004f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1452 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82c76455-4d3f-4e09-a654-22e592107e74\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1262 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"831e510e-db41-4c72-888e-a0621ab62265\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1008 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8356cfc6-507a-4d20-b818-08038011cd07\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Event Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft + Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft + Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft + Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft + Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft + Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft + Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft + Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic + logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Event - Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a214f7-d01a-484b-91a9-ed54470c9a6a\"},{\"properties\":{\"displayName\":\"Network - interfaces should not have public IPs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id\",\"notLike\":\"*\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a86a26-fd1f-447c-b59d-e51f44264114\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1382 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"841392b3-40da-4473-b328-4cde49db67b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1098 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84363adb-dde3-411a-9fc1-36b56737f822\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the Web - app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft + Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the Web + app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"843664e0-7563-41ee-a9cb-7522c382d2c4\"},{\"properties\":{\"displayName\":\"Microsoft + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review - And Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"845f6359-b764-4b40-b579-657aefe23c44\"},{\"properties\":{\"displayName\":\"Microsoft + And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical - Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84914fb4-12da-4c53-a341-a9fd463bed10\"},{\"properties\":{\"displayName\":\"Microsoft + Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. - Access To Non-Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84e622c8-4bed-417c-84c6-b2fb0dd73682\"},{\"properties\":{\"displayName\":\"Microsoft + Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage - Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"852981b4-a380-4704-aa1e-2e52d63445e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1580 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"854db8ac-6adf-42a0-bef3-b73f764f40b9\"},{\"properties\":{\"displayName\":\"Microsoft + Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) - | Acceptance Of Third-Party Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"855ced56-417b-4d74-9d5f-dd1bc81e22d6\"},{\"properties\":{\"displayName\":\"Microsoft + | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized - Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"85c32733-7d23-4948-88da-058e2c56b60f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1326 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8605fc00-1bf5-4fb3-984e-c95cec4f231d\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Microsoft Network Server'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86880e5c-df35-43c5-95ad-7e120635775e\"},{\"properties\":{\"displayName\":\"Deploy - SQL DB transparent data encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enables - transparent data encryption on SQL databases\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullDbName\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('fullDbName'), - '/current')]\",\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"apiVersion\":\"2014-04-01\",\"properties\":{\"status\":\"Enabled\"}}]},\"parameters\":{\"fullDbName\":{\"value\":\"[field('fullName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86a912f6-9a06-4e26-b447-11b16ba8659f\"},{\"properties\":{\"displayName\":\"System - updates should be installed on your machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Missing + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy + SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System + updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"systemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86b3d65f-7626-441e-b690-81a8b71cff60\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1507 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ccd1bf-e7ad-4851-93ce-6ec817469c1e\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft + Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86d97760-d216-4d81-a3ad-163087b2b6c3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1392 - Information Spillage Response | Post-Spill Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86dc819f-15e1-43f9-a271-41ae58d4cecc\"},{\"properties\":{\"displayName\":\"Microsoft + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft + Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments - / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ec7f9b-9478-40ff-8cfd-6a0d510081a8\"},{\"properties\":{\"displayName\":\"Microsoft + / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / - Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8713a0ed-0d1e-4d10-be82-83dffb39830e\"},{\"properties\":{\"displayName\":\"Require - specified tag\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces - existence of a tag. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"871b6d14-10aa-478d-b590-94f262ecfa99\"},{\"properties\":{\"displayName\":\"Microsoft + Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require + specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy - / Currency\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"874e7880-a067-42a7-bcbe-1a340f54c8cc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1635 - Boundary Protection | Host-Based Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft + Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - Control Panel'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87b590fe-4a1d-4697-ae74-d4fe72ab786c\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Administrative Templates - Control Panel''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87f7cd82-2e45-4d0f-9e2f-586b0962d142\"},{\"properties\":{\"displayName\":\"Microsoft + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document - / Verify\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"881299bf-2a5b-4686-a1b2-321d33679953\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1356 - Incident Response Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8829f8f5-e8be-441e-85c9-85b72a5d0ef3\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft + Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy + prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names\",\"description\":\"A semicolon-separated list of the names of the applications - that should not be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent', - '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), - ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"not_installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"884b209a-963b-4520-8006-d20cb3c213e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1317 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8877f519-c166-47b7-81b7-8a8eb4ff3775\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1501 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88817b58-8472-4f6c-81fa-58ce42b67f51\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names","description":"A semicolon-separated list of the names of the applications + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', + '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft + Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft + Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88999f4c-376a-45c8-bcb3-4058f713cf39\"},{\"properties\":{\"displayName\":\"Network - interfaces should disable IP forwarding\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","type":"Microsoft.Authorization/policyDefinitions","name":"88999f4c-376a-45c8-bcb3-4058f713cf39"},{"properties":{"displayName":"Network + interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting - of IP forwarding disables Azure's check of the source and destination for - a network interface. This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"field\":\"Microsoft.Network/networkInterfaces/enableIpForwarding\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88c0b9da-ce96-4b03-9635-f29a937e2900\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1215 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88fc93e8-4745-4785-b5a5-b44bb92c44ff\"},{\"properties\":{\"displayName\":\"SQL + of IP forwarding disables Azure''s check of the source and destination for + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 - days.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL servers configured with an auditing retention period of less than 90 days.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/retentionDays\",\"greater\":90}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"89099bee-89e0-4b26-a5f4-165451757743\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1411 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"898d4fe8-f743-4333-86b7-0c9245d93e7d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1092 - Security Awareness Training | Insider Threat\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a29d47b-8604-4667-84ef-90d203fcb305\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft + Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + System settings''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - System settings'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a39d1f1-5513-4628-b261-f469a5a3341b\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + category: ''Security Options - System settings''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b0de57a-f511-4d45-a277-17cb79cb163b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1534 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b2b263e-cd05-4488-bcbf-4debec7a17d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1170 - Penetration Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Windows Firewall Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft + Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Windows Firewall Properties'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8bbd627e-4d25-4906-9a6e-3789780af3ec\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + category: ''Windows Firewall Properties''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"Equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c122334-9d20-4eb8-89ea-ac9a705b74ae\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1458 - Physical Access Control | Information System Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1683 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c79fee4-88dd-44ce-bbd4-4de88948c4f8\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1316 - Identifier Management | Identify User Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce14753-66e5-465d-9841-26ef55c09c0d\"},{\"properties\":{\"displayName\":\"Require - tag and its value on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces - a required tag and its value on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce3da23-7156-49e4-b145-24f95f9dcb46\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1324 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cfea2b3-7f77-497e-ac20-0752f2ff6eee\"},{\"properties\":{\"displayName\":\"Microsoft + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft + Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft + Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest + TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft + Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require + tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft + Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated - Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d096fe0-f510-4486-8b4d-d17dc230980b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1288 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8dc459b3-0e77-45af-8d71-cfd8c9654fe2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1250 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8de614d8-a8b7-4f70-a62a-6d37089a002c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft + Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft + Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft + Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Object Access'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditDetailedFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Detailed File Share\",\"description\":\"If this policy setting is enabled, + with non-compliant settings in Group Policy category: ''System Audit Policies + - Object Access''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing - for Success can lead to very high volumes of events.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"},\"AuditFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit File Share\",\"description\":\"Specifies whether to audit events related + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File - Servers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"},\"AuditFileSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit File System\",\"description\":\"Specifies whether audit events are generated + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated - only for objects that have configured system access control lists (SACLs).\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Detailed File Share;ExpectedValue', '=', parameters('AuditDetailedFileShare'), - ',', 'Audit File Share;ExpectedValue', '=', parameters('AuditFileShare'), - ',', 'Audit File System;ExpectedValue', '=', parameters('AuditFileSystem')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\"},\"AuditDetailedFileShare\":{\"value\":\"[parameters('AuditDetailedFileShare')]\"},\"AuditFileShare\":{\"value\":\"[parameters('AuditFileShare')]\"},\"AuditFileSystem\":{\"value\":\"[parameters('AuditFileSystem')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditDetailedFileShare\":{\"type\":\"string\"},\"AuditFileShare\":{\"type\":\"string\"},\"AuditFileSystem\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit - File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit - File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit - File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit - File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e170edb-e0f5-497a-bb36-48b3280cec6a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1278 - Alternate Processing Site | Preparation For Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e5ef485-9e16-4c53-a475-fbb8107eac59\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1517 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8f5ad423-50d6-4617-b058-69908f5586c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1668 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fb0966e-be1d-42c3-baca-60df5c0bcc61\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1013 - Account Management | Automated System Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fd7b917-d83b-4379-af60-51e14e316c61\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1147 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fef824a-29a8-4a4c-88fc-420a39c0d541\"},{\"properties\":{\"displayName\":\"[Preview]: + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), + '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft + Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft + Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft + Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft + Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft + Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using - reversible encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"StorePasswordsUsingReversibleEncryption\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ff0b18b-262e-4512-857a-48ad0aeb9a78\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1550 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"902908fb-25a8-4225-a3a5-5603c80066c9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall - Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft + Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall + Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. + with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Use profile settings\",\"description\":\"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Apply local firewall rules\",\"description\":\"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Use profile settings\",\"description\":\"Specifies + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Apply local firewall rules\",\"description\":\"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Use profile settings\",\"description\":\"Specifies + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Apply local firewall rules\",\"description\":\"Specifies + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Domain: Allow unicast response\",\"description\":\"Specifies + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Domain profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Private: Allow unicast response\",\"description\":\"Specifies + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Private profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Public: Allow unicast response\",\"description\":\"Specifies + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Public profile.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Windows - Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), - ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), - ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), - ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows - Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), - ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), - ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows - Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), - ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', - parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: - Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), - ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', - parameters('WindowsFirewallPublicAllowUnicastResponse')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsFirewallProperties\"},\"WindowsFirewallDomainUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},\"WindowsFirewallDomainDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},\"WindowsFirewallPublicUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},\"WindowsFirewallPublicDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows - Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows - Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"909c958d-1b99-4c74-b88f-46a5c5bc34f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90b60a09-133d-45bc-86ef-b206a6134bbe\"},{\"properties\":{\"displayName\":\"Deploy + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), + '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', + parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', + ''Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainApplyLocalFirewallRules''), '','', + ''Windows Firewall: Domain: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainDisplayNotifications''), '','', ''Windows + Firewall: Private: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateUseProfileSettings''), + '','', ''Windows Firewall: Private: Outbound connections;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections''), + '','', ''Windows Firewall: Private: Settings: Apply local connection security + rules;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateApplyLocalFirewallRules''), '','', + ''Windows Firewall: Private: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateDisplayNotifications''), '','', + ''Windows Firewall: Public: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallPublicUseProfileSettings''), + '','', ''Windows Firewall: Public: Outbound connections;ExpectedValue'', ''='', + parameters(''WindowsFirewallPublicBehaviorForOutboundConnections''), '','', + ''Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicApplyLocalFirewallRules''), '','', + ''Windows Firewall: Public: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicDisplayNotifications''), '','', ''Windows + Firewall: Domain: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainAllowUnicastResponse''), + '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', + ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft + Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows - PowerShell modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Modules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell - Modules\",\"description\":\"A semicolon-separated list of the names of the - PowerShell modules that should be installed. You may also specify a specific - version of a module that should be installed by including a comma after the - module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellModules]PowerShellModules1;Modules', - '=', parameters('Modules')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellModules\"},\"Modules\":{\"value\":\"[parameters('Modules')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Modules\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90ba2ee7-4ca8-4673-84d1-c851c50d3baf\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell + Modules","description":"A semicolon-separated list of the names of the PowerShell + modules that should be installed. You may also specify a specific version + of a module that should be installed by including a comma after the module + name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit - Trail\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90d8b8ad-8ee3-4db7-913f-2a53fcff5316\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1355 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90e01f69-3074-4de8-ade7-0fef3e7d83e0\"},{\"properties\":{\"displayName\":\"Microsoft + Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft + Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative - Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90f01329-a100-43c2-af31-098996135d2b\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Windows Components'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9178b430-2295-406e-bb28-f6a7a2a2f897\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1069 - Wireless Access | Authentication And Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"91c97b44-791e-46e9-bad7-ab7c4949edbb\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Windows Components''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection - / Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"924e1b2d-c502-478f-bfdb-a7e09a0d5c01\"},{\"properties\":{\"displayName\":\"MFA - should be enabled accounts with write permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9297c21d-2ed6-4474-b48f-163f75654ce3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1290 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"92f85ce9-17b7-49ea-85ee-ea7271ea6b82\"},{\"properties\":{\"displayName\":\"[Preview]: + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft + Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within - the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9328f27e-611e-44a7-a244-39109d7d35ab\"},{\"properties\":{\"displayName\":\"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does - not contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members - to include\",\"description\":\"A semicolon-separated list of members that - should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToInclude', - '=', parameters('MembersToInclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToInclude\"},\"MembersToInclude\":{\"value\":\"[parameters('MembersToInclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToInclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93507a81-10a4-4af0-9ee2-34cf25a96e98\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members + to include","description":"A semicolon-separated list of members that should + be included in the Administrators local group. Ex: Administrator; myUser1; + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security - Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\"},{\"properties\":{\"displayName\":\"Microsoft + Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks - For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e9e233-dd0a-4bde-aea5-1371bce0e002\"},{\"properties\":{\"displayName\":\"Microsoft + For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore - Within Time Period\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93fd8af1-c161-4bae-9ba9-f62731f76439\"},{\"properties\":{\"displayName\":\"Microsoft + Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"942b3e97-6ae3-410e-a794-c9c999b97c0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1379 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9442dd2c-a07f-46cd-b55a-553b66ba47ca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1371 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9447f354-2c85-4700-93b3-ecdc6cb6a417\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in European data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: North Europe, West Europe\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"94c19f19-8192-48cd-a11b-e37099d3e36b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1526 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"953e6261-a05a-44fd-8246-000e1a3edbb9\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft + Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they - reach the web app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95bccee9-a7f8-4bec-9ee9-62c3473701fc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1163 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"961663a1-8a91-4e59-b6f5-1eee57c0f49c\"},{\"properties\":{\"displayName\":\"Require - specified tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces - existence of a tag on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"96670d01-0a4d-4649-9c89-2d3abc0a5025\"},{\"properties\":{\"displayName\":\"Microsoft + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft + Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require + specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary - Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\"},{\"properties\":{\"displayName\":\"Advanced + Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive - security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send alerts to' field in the Advanced - Data Security server settings. This email address receives alert notifications - when anomalous activities are detected on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9677b740-f641-4f3c-b9c5-466005c85278\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1453 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9693b564-3008-42bc-9d5d-9c7fe198c011\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Adminstrative Templates - - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send alerts to'' field in the + Advanced Data Security server settings. This email address receives alert + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft + Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Adminstrative Templates - MSS (Legacy)'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97646672-5efa-4622-9b54-740270ad60bf\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Administrative Templates - MSS (Legacy)''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic - Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"976a74cf-b192-4d35-8cab-2068f272addb\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Policy Change'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditAuthenticationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Authentication Policy Change\",\"description\":\"Specifies whether audit + with non-compliant settings in Group Policy category: ''System Audit Policies + - Policy Change''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust - and privileges that are granted to user accounts or groups.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Authorization Policy Change\",\"description\":\"Specifies whether audit + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes - changes and Central Access Policy changes for file system objects.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Authentication Policy Change;ExpectedValue', '=', parameters('AuditAuthenticationPolicyChange'), - ',', 'Audit Authorization Policy Change;ExpectedValue', '=', parameters('AuditAuthorizationPolicyChange')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\"},\"AuditAuthenticationPolicyChange\":{\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},\"AuditAuthorizationPolicyChange\":{\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditAuthenticationPolicyChange\":{\"type\":\"string\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit - Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit - Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97b595c8-fd10-400e-8543-28e2b9138b13\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1136 - Audit Record Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97ed5bac-a92f-4f6d-a8ed-dc094723597c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1378 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97fceb70-6983-42d0-9331-18ad8253184d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in United States data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft + Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft + Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"centralus\",\"eastus\",\"eastus2\",\"northcentralus\",\"southcentralus\",\"westus\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"983211ba-f348-4758-983b-21fa29294869\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - Network'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnableInsecureGuestLogons\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enable insecure guest logons\",\"description\":\"Specifies whether the SMB - client will allow insecure guest logons to an SMB server.\"},\"defaultValue\":\"0\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow simultaneous connections to the Internet or a Windows Domain\",\"description\":\"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them.\"},\"defaultValue\":\"1\"},\"TurnOffMulticastNameResolution\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn off multicast name resolution\",\"description\":\"Specifies whether LLMNR, + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a - local subnet link on a single subnet, is enabled.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enable - insecure guest logons;ExpectedValue', '=', parameters('EnableInsecureGuestLogons'), - ',', 'Minimize the number of simultaneous connections to the Internet or a - Windows Domain;ExpectedValue', '=', parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'), - ',', 'Turn off multicast name resolution;ExpectedValue', '=', parameters('TurnOffMulticastNameResolution')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesNetwork\"},\"EnableInsecureGuestLogons\":{\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},\"TurnOffMulticastNameResolution\":{\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnableInsecureGuestLogons\":{\"type\":\"string\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"string\"},\"TurnOffMulticastNameResolution\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable - insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize - the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn - off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable - insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize - the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn - off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"985285b7-b97a-419c-8d48-c88cc934c8d8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1076 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"98a4bd5f-6436-46d4-ad00-930b5b1dfed4\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), + '','', ''Minimize the number of simultaneous connections to the Internet or + a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft + Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"991310cd-e9f3-47bc-b7b6-f57b557d07db\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1102 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9943c16a-c54c-4b4a-ad28-bfd938cdbf57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1300 - Identification And Authentication (Organizational Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"99deec7d-5526-472e-b07c-3645a792026a\"},{\"properties\":{\"displayName\":\"Microsoft + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft + Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft + Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\"},{\"properties\":{\"displayName\":\"FTPS - only should be required in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a1b8c48-453a-4044-86c3-d8bfd823e4f5\"},{\"properties\":{\"displayName\":\"Microsoft + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS + only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared - / Group Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a3eb0a3-428d-4669-baff-20a14eb4b551\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Azure SQL Database to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.Sql/servers/databases/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('fullName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Errors\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DatabaseWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Blocks\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLInsights\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Timeouts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutomaticTuning\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Deadlocks\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - diagnostic settings for ', parameters('fullName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"fullName\":{\"value\":\"[field('fullName')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a7c7a7d-49e5-4213-bea8-6a502b6272e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1049 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9adf7ba7-900a-4f35-8d57-9f34aafc405c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1563 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9afe2edf-232c-4fdf-8e6a-e867a5c525fd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1462 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\"},{\"properties\":{\"displayName\":\"Microsoft - IaaSAntimalware extension should be deployed on Windows servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft + Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft + Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft + Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft + IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b597639-28e4-48eb-b506-56b05d366257\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1236 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ba3ed84-c768-4e18-b87c-34ef1aff1b57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1525 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9be2f688-7a61-45e3-8230-e1ec93893f66\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft + Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft + Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9bfe3727-0a17-471f-a2fe-eddd6b668745\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1138 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c284fc0-268a-4f29-af44-3c126674edb4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1135 - Non-Repudiation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c308b6b-2429-4b97-86cf-081b8e737b04\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1489 - Location Of Information System Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0a794f-1444-4c96-9534-e35fc8c39c91\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Funtion app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft + Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft + Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1322 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d1d971e-467e-4278-9633-c74c3d4fecc4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1233 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d79001f-95fe-45d0-8736-f217e78c1f57\"},{\"properties\":{\"displayName\":\"Microsoft + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft + Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft + Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group - Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9166a8-1722-4b8f-847c-2cf3f2618b3d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1259 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9e18f7-bad9-4d30-8806-a0c9d5e26208\"},{\"properties\":{\"displayName\":\"Access - through Internet facing endpoint should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure - Security center has identified some of your Network Security Groups' inbound - rules to be too permissive. Inbound rules should not allow access from 'Any' - or 'Internet' ranges. This can potentially enable attackers to easily target - your resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedNetworkEndpoint\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9daedab3-fb2d-461e-b861-71790eead4f6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1500 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\"},{\"properties\":{\"displayName\":\"Microsoft + Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft + Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access + through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure + Security center has identified some of your Network Security Groups'' inbound + rules to be too permissive. Inbound rules should not allow access from ''Any'' + or ''Internet'' ranges. This can potentially enable attackers to easily target + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft + Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With - Alarms / Notifications\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9df4277e-8c88-4d5c-9b1a-541d53d15d7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1490 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e61da80-0957-4892-b70c-609d5eaafb6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1504 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e7c35d0-12d4-4e0c-80a2-8a352537aefd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1609 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e93fa71-42ac-41a7-b177-efbfdc53c69f\"},{\"properties\":{\"displayName\":\"Append - tag and its value from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft + Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft + Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append + tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources - are changed. New 'modify' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1494 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed09d84-3311-4853-8b67-2b55dfa33d09\"},{\"properties\":{\"displayName\":\"Microsoft + are changed. New ''modify'' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft + Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection - Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed5ca00-0e43-434e-a018-7aab91461ba7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1187 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f2b2f9e-4ba6-46c3-907f-66db138b6f85\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that are not set to the specified time zone\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Measures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft + Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show + audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f658460-46b7-43af-8565-94fc0662be38\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1354 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9fd92c17-163a-4511-bb96-bbb476449796\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not - connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + connected as expected","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a030a57e-4639-4e8f-ade9-a92f33afe7ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1145 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0724970-9c75-4a64-a225-a28002953f28\"},{\"properties\":{\"displayName\":\"Allowed - resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed + resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can - deploy. Only resource types that support 'tags' and 'location' will be affected - by this policy. To restrict all resources please duplicate this policy and - change the 'mode' to 'All'.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of resource types that can be deployed.\",\"displayName\":\"Allowed resource - types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesAllowed')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a08ec900-254a-4555-9bf5-e42af04b5c5c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1245 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0e45314-57b8-4623-80cd-bbb561f59516\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1406 - Maintenance Tools | Inspect Media\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\"},{\"properties\":{\"displayName\":\"Security - Center standard pricing tier should be selected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + deploy. Only resource types that support ''tags'' and ''location'' will be + affected by this policy. To restrict all resources please duplicate this policy + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + list of resource types that can be deployed.","displayName":"Allowed resource + types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft + Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft + Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Security/pricings\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"exists\":\"true\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"notEquals\":\"Standard\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1181c5f-672a-477a-979a-7d58aa086233\"},{\"properties\":{\"displayName\":\"All + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from - Service Bus namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Service + Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Service - Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1817ec0-a368-432a-8057-8371e17ac6ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a18adb5b-1db6-4a5b-901a-7d3797d12972\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Logic Apps to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft + Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1dae6c7-13f3-48ea-a149-ff8442661f60\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - System'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1e8dda3-9fd2-4835-aec3-0e55531fde33\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1612 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2037b3d-8b04-4171-8610-e6d4f1d08db5\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60","type":"Microsoft.Authorization/policyDefinitions","name":"a1dae6c7-13f3-48ea-a149-ff8442661f60"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - System''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Administrative + Templates - System''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document - Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a20d2eaa-88e2-4907-96a2-8f3a05797e5c\"},{\"properties\":{\"displayName\":\"Microsoft + Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary - Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a23d9d53-ad2e-45ef-afd5-e6d10900a737\"},{\"properties\":{\"displayName\":\"Microsoft + Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion - Detection System\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2567a23-d1c3-4783-99f3-d471302a4d6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2596a9f-e59f-420d-9625-6e0b536348be\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1059 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29b5d9f-4953-4afe-b560-203a6410b6b4\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft + Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show + audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29ee95c-0395-4515-9851-cc04ffe82a91\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1532 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2c66299-9017-4d95-8040-8bdbf7901d52\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2cdf6b8-9505-4619-b579-309ba72037ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1252 - Contingency Plan | Capacity Planning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1238 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1693 - Information System Monitoring | System-Generated Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a450eba6-2efc-4a00-846a-5804a93c6b77\"},{\"properties\":{\"displayName\":\"Audit - usage of custom RBAC rules\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft + Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft + Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft + Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft + Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit + usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit + built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a451c1ef-c6ca-483d-87ed-f49761e3ffb5\"},{\"properties\":{\"displayName\":\"Web - Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web + Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a4af4a39-4135-47fb-b175-47fbdf85311d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1617 - Application Partitioning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a631d8f5-eb81-4f9d-9ee1-74431371e4a3\"},{\"properties\":{\"displayName\":\"Auditing - on SQL server should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Auditing + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft + Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing on your SQL Server should be enabled to track database activities across all - databases on the server and save them in an audit log.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Desired - Auditing setting\"},\"allowedValues\":[\"enabled\",\"disabled\"],\"defaultValue\":\"enabled\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\"},{\"properties\":{\"displayName\":\"The - Log Analytics agent should be installed on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired + Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The + Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a70ca396-0a34-413a-88e1-b956c1e683be\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1431 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7173c52-2b99-4696-a576-63dd5f970ef4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1644 - Cryptographic Key Establishment And Management | Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7211477-c970-446b-b4af-062f37461147\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1027 - Access Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\"},{\"properties\":{\"displayName\":\"DDoS - Protection Standard should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"DDoS + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft + Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft + Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft + Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS + Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"microsoft.network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableDDoSProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7aca53f-2ed4-4466-a25e-0b45ade68efd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1570 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7fcf38d-bb09-4600-be7d-825046eb162a\"},{\"properties\":{\"displayName\":\"Require - encryption on Data Lake Store accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy ensures encryption is enabled on all Data Lake Store accounts\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},{\"field\":\"Microsoft.DataLakeStore/accounts/encryptionState\",\"equals\":\"Disabled\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7ff3161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1295 - Information System Recovery And Reconstitution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a895fbdb-204d-4302-9689-0a59dc42b3d9\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor unencrypted SQL databases in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Unencrypted + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft + Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require + encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data + Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: + Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a8bef009-a5c9-4d0f-90d7-6018734e8a16\"},{\"properties\":{\"displayName\":\"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary - / Alternate Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9172e76-7f56-46e9-93bf-75d69bdb5491\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1400 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96d5098-a604-4cdf-90b1-ef6449a27424\"},{\"properties\":{\"displayName\":\"Microsoft + / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft + Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit - Repositories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96f743d-a195-420d-983a-08aa06bc441e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1199 - Configuration Change Control | Cryptography Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a08d1c-09b1-48f1-90ea-029bbdf7111e\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft + Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Detailed Tracking'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a33475-481d-4b81-9116-0bf02ffe67e8\"},{\"properties\":{\"displayName\":\"Deploy - network watcher when virtual networks are created\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''System Audit Policies - Detailed Tracking''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"networkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"equals\":\"[field('location')]\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2016-09-01\",\"type\":\"Microsoft.Network/networkWatchers\",\"name\":\"[concat('networkWatcher_', - parameters('location'))]\",\"location\":\"[parameters('location')]\"}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1511 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9eae324-d327-4539-9293-b48e122465f8\"},{\"properties\":{\"displayName\":\"MFA - should be enabled on accounts with owner permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft + Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa633080-8b72-40c4-a2d7-d00c03e80bed\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on WEB App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa81768c-cb87-4ce2-bfaa-00baa10d760c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1539 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aabb155f-e7a5-4896-a767-e918bfae2ee0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1006 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aae8d54c-4bce-4c04-b3aa-5b65b67caac8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1461 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aafef03e-fea8-470b-88fa-54bd1fcd7064\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1073 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft + Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft + Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft + Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft + Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab965db2-d2bf-4b64-8b39-c38ec8179461\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Automatic provisioning of security monitoring agent\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Installs + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: + Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"securityAgent\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abcc6037-1fc4-47f6-aac5-89706589be24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1323 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abe8f70b-680f-470c-9b86-a7edfb664ecc\"},{\"properties\":{\"displayName\":\"Advanced - data security should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL servers without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\"},{\"properties\":{\"displayName\":\"Advanced - data security should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL managed instances without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\"},{\"properties\":{\"displayName\":\"Enable - Azure Security Center on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Identifies - existing subscriptions that are not monitored by Azure Security Center (ASC).\\nSubscriptions - not monitored by ASC will be registered to the free pricing tier.\\nSubscriptions - already monitored by ASC (free or standard), will be considered compliant.\\nTo + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft + Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced + data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced + data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo register newly created subscriptions, open the compliance tab, select the - relevant non-compliant assignment and create a remediation task.\\nRepeat - this step when you have one or more new subscriptions you want to monitor - with Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/pricings\",\"name\":\"VirtualMachines\",\"deploymentScope\":\"subscription\",\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"existenceCondition\":{\"anyof\":[{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"standard\"},{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"free\"}]},\"deployment\":{\"location\":\"westeurope\",\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Security/pricings\",\"apiVersion\":\"2018-06-01\",\"name\":\"VirtualMachines\",\"properties\":{\"pricingTier\":\"free\"}}],\"outputs\":{}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac076320-ddcf-4066-b451-6154267e8ad2\"},{\"properties\":{\"displayName\":\"Microsoft + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message - Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac43352f-df83-4694-8738-cfce549fd08d\"},{\"properties\":{\"displayName\":\"[Preview]: - Role-Based Access Control (RBAC) should be used on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"To + Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation if 'environment' tag value in allowed values\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation if the 'environment' tag is set to one of the following - values: production, dev, test, staging\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags['environment']\",\"in\":[\"production\",\"dev\",\"test\",\"staging\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac7e5fc0-c029-4b12-91d4-a8500ce697f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1569 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1454 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad58985d-ab32-4f99-8bd3-b7e134c90229\"},{\"properties\":{\"displayName\":\"Microsoft + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation if the ''environment'' tag is set to one of the following + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft + Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical - Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"adfe020d-0a97-45f4-a39c-696ef99f3a95\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1272 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\"},{\"properties\":{\"displayName\":\"SQL - Server should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL + Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae5d2f14-d830-42b6-9899-df6cfe9c71a3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1598 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae7e1f5e-2d63-4b38-91ef-bce14151cce3\"},{\"properties\":{\"displayName\":\"Email + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft + Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed - instance advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that 'email notification to admins and subscription owners' is enabled in + instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeb23562-188d-47cb-80b8-551f16ef9fff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1413 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeedddb6-6bc0-42d5-809b-80048033419d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1710 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\"},{\"properties\":{\"displayName\":\"Monitor - missing Endpoint Protection in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft + Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor + missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"endpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af6cd1bd-1635-48cb-bde7-5b15693900b9\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor unaudited SQL servers in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"SQL - servers which don't have SQL auditing turned on will be monitored by Azure + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: + Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL + servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced - by the following policy: 'Auditing should be enabled on advanced data security - settings on SQL Server'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"auditing\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af8051bf-258b-44e2-a2bf-165330459f9d\"},{\"properties\":{\"displayName\":\"Microsoft + by the following policy: ''Auditing should be enabled on advanced data security + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric - Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afbd0baf-ff1a-4447-a86f-088a97347c0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1725 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afc234b5-456b-4aa5-b3e2-ce89108124cc\"},{\"properties\":{\"displayName\":\"Activity - log should be retained for at least one year\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft + Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity + log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"365\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"false\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"0\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b02aacc0-b073-424e-8298-42b22829ee0a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1429 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b07c9b24-729e-4e85-95fc-f224d2d08a80\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1711 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b083a535-a66a-41ec-ba7f-f9498bf67cde\"},{\"properties\":{\"displayName\":\"Just-In-Time - network access control should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft + Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft + Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time + network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"jitNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b0f33259-77d7-4c9e-aac6-3aabcfae693c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1571 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b11c985b-f2cd-4bd7-85f4-b52426edf905\"},{\"properties\":{\"displayName\":\"[Preview]: + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft + Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions - set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Linux virtual machines that do not have the passwd file permissions - set to 0644. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b18175dd-c599-4c64-83ba-bb018a06d35b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1537 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b19454ca-0d70-42c0-acf5-ea1c1e5726d1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1091 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\"},{\"properties\":{\"displayName\":\"Microsoft + set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Linux + virtual machines that do not have the passwd file permissions set to 0644. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft + Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized - Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b25faf85-8a16-4f28-8e15-d05c0072d64d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1009 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b26f8610-e615-47c2-abd6-c00b2b0b503a\"},{\"properties\":{\"displayName\":\"All + Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from - Event Hub namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Event + Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Event - Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b278e460-7cfc-4451-8294-cccc40a940d7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1234 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b293f881-361c-47ed-b997-bc4e2296bc0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1107 - Content Of Audit Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b29ed931-8e21-4779-8458-27916122a904\"},{\"properties\":{\"displayName\":\"Deploy + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft + Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft + Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication - protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows web servers - that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding + protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows web servers that + are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MinimumTLSVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Minimum - TLS version\",\"description\":\"The minimum TLS protocol version that should - be enabled. Windows web servers with lower TLS versions will be marked as - non-compliant.\"},\"allowedValues\":[\"1.1\",\"1.2\"],\"defaultValue\":\"1.1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[SecureWebServer]s1;MinimumTLSVersion', - '=', parameters('MinimumTLSVersion')))]\"},{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"\"},{\"value\":\"[parameters('MinimumTLSVersion')]\",\"equals\":\"1.1\"}]}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AuditSecureProtocol\"},\"MinimumTLSVersion\":{\"value\":\"[parameters('MinimumTLSVersion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MinimumTLSVersion\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fc8f91-866d-4434-9089-5ebfe38d6fd8\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum + TLS version","description":"The minimum TLS protocol version that should be + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Logon-Logoff''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Logon-Logoff'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3802d79-dd88-4bce-b81d-780218e48280\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3d8d15b-627a-4219-8c96-4d16f788888b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1380 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4319b7e-ea8d-42ff-8a67-ccd462972827\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Search services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + category: ''System Audit Policies - Logon-Logoff''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft + Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic + logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Search\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4330a05-a843-4bc8-bf9a-cacce50c67f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1172 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b43e946e-a4c8-4b92-8201-4a39331db43c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1672 - Flaw Remediation | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b45fe972-904e-45a4-ac20-673ba027a301\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1131 - Protection Of Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b472a17e-c2bc-493f-b50b-42d55a346962\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft + Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft + Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b48334a4-911b-4084-b1ab-3e6a4e50b951\"},{\"properties\":{\"displayName\":\"A - security contact phone number should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/phone\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4d66858-c922-44e3-9566-5cdb7a7be744\"},{\"properties\":{\"displayName\":\"Microsoft + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4f9b47a-2116-4e6f-88db-4edbf22753f1\"},{\"properties\":{\"displayName\":\"Service - Fabric clusters should only use Azure Active Directory for client authentication\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"exists\":\"false\"},{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"equals\":\"\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b54ed75b-3e1a-44ac-a333-05ba39b99ff0\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Threat Protection for Cosmos DB Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables Advanced Threat Protection across Cosmos DB accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cosmos - DB\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"cosmosDbAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('cosmosDbAccountName'), - '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"cosmosDbAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b5f04e03-92a3-4b09-9410-2cc5e5047656\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in App Services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy + Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos + DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), + ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic + logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"notContains\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6747bf9-2b97-45b8-b162-3c8becb9937d\"},{\"properties\":{\"displayName\":\"Microsoft + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft + Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network - Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1568 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8eae8-9854-495a-ac82-d2cd3eac02a6\"},{\"properties\":{\"displayName\":\"Network - Watcher should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft + Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network + Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"listOfLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Locations\",\"description\":\"Audit - if Network Watcher is not enabled for region(s).\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"NetworkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"in\":\"[parameters('listOfLocations')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1608 - Supply Chain Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1401 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b78ee928-e3c1-4569-ad97-9f8c4b629847\"},{\"properties\":{\"displayName\":\"API - App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft + Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft + Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b7ddfbdc-1260-477d-91fd-98bd9be789a6\"},{\"properties\":{\"displayName\":\"Deploy + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does - not contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Members\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members\",\"description\":\"A + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;Members', - '=', parameters('Members')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembers\"},\"Members\":{\"value\":\"[parameters('Members')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Members\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b821191b-3a12-44bc-9c38-212138a29ff3\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Accounts'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b872a447-cc6f-43b9-bccf-45703cd81607\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Logic Apps to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Accounts''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Accounts''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b889a06c-ec72-4b03-910a-cb169ee18721\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Administrative operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This policy audits specific Administrative operations with no activity log alerts - configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Administrative Operation name for which activity - log alert should be configured\"},\"allowedValues\":[\"Microsoft.Sql/servers/firewallRules/write\",\"Microsoft.Sql/servers/firewallRules/delete\",\"Microsoft.Network/networkSecurityGroups/write\",\"Microsoft.Network/networkSecurityGroups/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/delete\",\"Microsoft.Network/networkSecurityGroups/securityRules/write\",\"Microsoft.Network/networkSecurityGroups/securityRules/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Administrative\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b954148f-4c11-4c38-8221-be76711e194a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1257 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b958b241-4245-4bd6-bd2d-b8f0779fb543\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1186 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b95ba3bd-4ded-49ea-9d10-c6f4b680813d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1447 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9783a99-98fe-4a95-873f-29613309fe9a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1625 - Boundary Protection | Access Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9b66a4d-70a1-4b47-8fa1-289cec68c605\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1610 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9f3fb54-4222-46a1-a308-4874061f8491\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft + Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft + Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft + Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft + Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft + Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Recovery console''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Recovery console'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ba12366f-f9a6-42b8-9d98-157d0b1a837b\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Security Options - Recovery console''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat - And Vulnerability Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1726 - Information Handling And Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baff1279-05e0-4463-9a70-8ba5de4c7aa4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1166 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1188 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb20548a-c926-4e4d-855c-bcddc6faf95e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1533 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft + Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft + Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft + Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft + Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Microsoft Network Client'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network client: Digitally sign communications (always)\",\"description\":\"Specifies - whether packet signing is required by the SMB client component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network client: Send unencrypted password to third-party SMB servers\",\"description\":\"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it.\"},\"defaultValue\":\"0\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Amount of idle time required before suspending session\",\"description\":\"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,15\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Digitally sign communications (always)\",\"description\":\"Specifies - whether packet signing is required by the SMB server component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Disconnect clients when logon hours expire\",\"description\":\"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside - their user account's valid logon hours. This setting affects the Server Message + their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - 'Network security: Force logoff when logon hours expire'\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Microsoft - network client: Digitally sign communications (always);ExpectedValue', '=', - parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', - 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', - '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), - ',', 'Microsoft network server: Amount of idle time required before suspending - session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), - ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', - '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), - ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', - '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"string\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"string\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft - network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft - network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft - network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft - network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft - network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft - network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bbcdd8fa-b600-4ee3-85b8-d184e3339652\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + network client: Digitally sign communications (always);ExpectedValue'', ''='', + parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', + ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers''), + '','', ''Microsoft network server: Amount of idle time required before suspending + session;ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession''), + '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), + '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\"},{\"properties\":{\"displayName\":\"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc34667f-397e-4a65-9b72-d0358f0b6b09\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1095 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc3f6f7a-057b-433e-9834-e8c97b0194f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft + Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Account Logon'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc87d811-4a9b-47cc-ae54-0a41abda7768\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1427 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc90e44f-d83f-4bdf-900f-3d5eb4111b31\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1351 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1050 - Concurrent Session Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd20184c-b4ec-4ce5-8db6-6e86352d183f\"},{\"properties\":{\"displayName\":\"[Preview]: - IP Forwarding on your virtual machine should be disabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enabling - IP forwarding on a virtual machine's NIC allows the machine to receive traffic + category: ''System Audit Policies - Account Logon''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft + Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft + Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling + IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"disableIPForwarding\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"Monitored\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd352bd5-2853-4985-bf0d-73806b4a5744\"},{\"properties\":{\"displayName\":\"Advanced - Threat Protection types should be set to 'All' in SQL managed instance Advanced - Data Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + Threat Protection types should be set to ''All'' in SQL managed instance Advanced + Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bda18df3-5e41-4709-add9-2554ce68c966\"},{\"properties\":{\"displayName\":\"Show + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains - any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + any of the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bde62c94-ccca-4821-a815-92c1d31a76de\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be0a7681-bed4-48dc-9ff3-f0171ee170b6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1360 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be5b05e7-0b82-4ebc-9eda-25e447b1a41e\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Key Vault to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bef3f64c-5290-43b7-85b0-9b254eef4c47\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1152 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\"},{\"properties\":{\"displayName\":\"Geo-redundant - storage should be enabled for Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Storage Account with geo-redundant storage not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":[\"Standard_GRS\",\"Standard_RAGRS\",\"Standard_GZRS\",\"Standard_RAGZRS\"]}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf045164-79ba-4215-8f95-f8048dc1780b\"},{\"properties\":{\"displayName\":\"Microsoft + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft + Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments - / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf296b8c-f391-4ea4-9198-be3c9d39dd1f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1446 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf6850fe-abba-468e-9ef4-d09ec7d983cd\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft + Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Logon-Logoff'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''System Audit Policies + - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditGroupMembership\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Group Membership\",\"description\":\"Specifies whether audit events - are generated when group memberships are enumerated on the client computer.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Group Membership;ExpectedValue', '=', parameters('AuditGroupMembership')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\"},\"AuditGroupMembership\":{\"value\":\"[parameters('AuditGroupMembership')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditGroupMembership\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c04255ee-1b9f-42c1-abaa-bf1553f79930\"},{\"properties\":{\"displayName\":\"Only - approved VM extensions should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy governs the virtual machine extensions that are not approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"approvedExtensions\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of approved extension types that can be installed. Example: AzureDiskEncryption\",\"displayName\":\"Approved - extensions\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"notIn\":\"[parameters('approvedExtensions')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c0e996f8-39cf-4af9-9f45-83fbde810432\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1124 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10152dd-78f8-4335-ae2d-ad92cc028da4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1676 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1719 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c13da9b4-fe14-4fe2-853a-5997c9d4215a\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only + approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The + list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved + extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft + Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft + Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft + Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated - Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c158eb1c-ae7e-4081-8057-d527140c4e0c\"},{\"properties\":{\"displayName\":\"Deploy - associations for a custom provider\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy + associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Custom - Provider\"},\"parameters\":{\"targetCustomProviderId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Custom - provider ID\",\"description\":\"Resource ID of the Custom provider to which - resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - types to associate\",\"description\":\"The list of resource types to be associated - to the custom provider.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association - name prefix\",\"description\":\"Prefix to be added to the name of the association - resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), - '-', uniqueString(parameters('targetCustomProviderId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetCustomProviderId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), - '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), - '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetCustomProviderId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, - '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetCustomProviderId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetCustomProviderId\":{\"value\":\"[parameters('targetCustomProviderId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1629 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c171b095-7756-41de-8644-a062a96043f2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1004 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c17822dc-736f-4eb4-a97d-e6be662ff835\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Asia data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom + Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom + provider ID","description":"Resource ID of the Custom provider to which resources + need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource + types to associate","description":"The list of resource types to be associated + to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association + name prefix","description":"Prefix to be added to the name of the association + resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), + ''-'', uniqueString(parameters(''targetCustomProviderId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetCustomProviderId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), + ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), + ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', + uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, + ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft + Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft + Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"eastasia\",\"southeastasia\",\"westindia\",\"southindia\",\"centralindia\",\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Account Logon'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditCredentialValidation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Credential Validation\",\"description\":\"Specifies whether audit events - are generated when credentials are submitted for a user account logon request. - \ This setting is especially useful for monitoring unsuccessful attempts, - to find brute-force attacks, account enumeration, and potential account compromise - events on domain controllers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"Success and Failure\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Credential Validation;ExpectedValue', '=', parameters('AuditCredentialValidation')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\"},\"AuditCredentialValidation\":{\"value\":\"[parameters('AuditCredentialValidation')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditCredentialValidation\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1e289c0-ffad-475d-a924-adc058765d65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1503 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\"},{\"properties\":{\"displayName\":\"Deploy + with non-compliant settings in Group Policy category: ''System Audit Policies + - Account Logon''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft + Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time - zone\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not set to the specified time zone. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Time - zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) - International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) - Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) - Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja - California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific - Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, - Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central - America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter - Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) - Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) - Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) - Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) - Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) - Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) - Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) - Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos - Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) - Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) - Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) - Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) - Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) - Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, - Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, - Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) - Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) - Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) - Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, - Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, - Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) - Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) - Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) - Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) - Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) - Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) - Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) - Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) - Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) - Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) - Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) - Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, - Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) - Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong - Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) - Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) - Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) - Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) - Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, - Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) - Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) - Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) - Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) - Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) - Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham - Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) - Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', - '=', parameters('TimeZone')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c21f7060-c148-41cf-a68b-0ab3e14c764c\"},{\"properties\":{\"displayName\":\"Show + zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates + a Guest Configuration assignment to audit Windows virtual machines that are + not set to the specified time zone. It also creates a system-assigned managed + identity and deploys the VM extension for Guest Configuration. This policy + should only be used along with its corresponding audit policy in an initiative. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time + zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) + Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) + Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) + Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) + Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time + (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US + & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, + Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio + Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) + Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks + and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) + Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San + Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) + Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) + Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) + Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated + Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) + Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, + Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) + Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) + Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, + Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) + West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) + Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) + Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, + Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) + Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) + Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, + St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu + Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) + Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) + Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) + Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) + Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) + Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) + Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, + Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) + Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, + Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, + Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) + Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) + Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) + Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) + Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) + Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) + Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) + Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) + Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) + Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) + Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"},{"properties":{"displayName":"Show audit results from Windows VMs on which the specified services are not installed - and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which the specified services are not - installed and 'Running'. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the API - app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + and ''Running''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines on which the specified services are not installed and ''Running''. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the API + app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1176 - Baseline Configuration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1389 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c39e6fda-ae70-4891-a739-be7bba6d1062\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1390 - Information Spillage Response | Responsible Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3b65b63-09ec-4cb5-8028-7dd324d10eb0\"},{\"properties\":{\"displayName\":\"System - updates on virtual machine scale sets should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft + Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft + Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft + Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System + updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"SystemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3f317a7-a95c-4547-b7e7-11017ebdf2fe\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: + Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40c9087-1981-4e73-9f53-39743eda9d05\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40f31a7-81e1-4130-99e5-a02ceea2a1d6\"},{\"properties\":{\"displayName\":\"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection - Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c416970d-b12b-49eb-8af4-fb144cd7c290\"},{\"properties\":{\"displayName\":\"Microsoft + Measures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection - signatures\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Windows virtual machine not configured with automatic update - of Microsoft Antimalware protection signatures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"equals\":\"Windows\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c43e4a30-77cb-48ab-a4dd-93f175c63b57\"},{\"properties\":{\"displayName\":\"[Preview]: - Container Registry should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy + audits any Windows virtual machine not configured with automatic update of + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: + Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Network\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerRegistry/registries\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4857be7-912a-4c75-87e6-e30292bcdf78\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1235 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c49c610b-ece4-44b3-988c-2172b70d6e46\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1173 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4aff9e7-2e60-46fa-86be-506b79033fc5\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft + Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed + identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they - reach the API app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4ebc54a-46e1-481a-bee2-d4411e95d828\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1600 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c53f3123-d233-44a7-930b-f40d3bfeb7d6\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Policy operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits specific Policy operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Policy Operation name for which activity log alert - should exist\"},\"allowedValues\":[\"Microsoft.Authorization/policyAssignments/write\",\"Microsoft.Authorization/policyAssignments/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts\",\"exists\":\"true\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Policy\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5447c04-a4d7-4ba8-a263-c9ee321a6858\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\"},{\"properties\":{\"displayName\":\"[Preview]: + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft + Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft + Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring - within the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateStorePath\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate store path\",\"description\":\"The path to the certificate store - containing the certificates to check the expiration dates of. Default value - is 'Cert:' which is the root certificate store path, so all certificates on - the machine will be checked. Other example paths: 'Cert:\\\\LocalMachine', - 'Cert:\\\\LocalMachine\\\\TrustedPublisher', 'Cert:\\\\CurrentUser'\"},\"defaultValue\":\"Cert:\"},\"ExpirationLimitInDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Expiration limit in days\",\"description\":\"An integer indicating the number + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' + which is the root certificate store path, so all certificates on the machine + will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will - cause this policy to be non-compliant.\"},\"defaultValue\":\"30\"},\"CertificateThumbprintsToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints to include\",\"description\":\"A semicolon-separated - list of certificate thumbprints to check under the specified path. If a value - is not specified, all certificates under the certificate store path will be - checked. If a value is specified, no certificates other than those with the - thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"CertificateThumbprintsToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints to exclude\",\"description\":\"A semicolon-separated - list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"IncludeExpiredCertificates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Include expired certificates\",\"description\":\"Must be 'true' or 'false'. + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that - have expired will be be ignored.\"},\"allowedValues\":[\"true\",\"false\"],\"defaultValue\":\"false\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateStorePath', - '=', parameters('CertificateStorePath'), ',', '[CertificateStore]CertificateStore1;ExpirationLimitInDays', - '=', parameters('ExpirationLimitInDays'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', - '=', parameters('CertificateThumbprintsToInclude'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude', - '=', parameters('CertificateThumbprintsToExclude'), ',', '[CertificateStore]CertificateStore1;IncludeExpiredCertificates', - '=', parameters('IncludeExpiredCertificates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"CertificateExpiration\"},\"CertificateStorePath\":{\"value\":\"[parameters('CertificateStorePath')]\"},\"ExpirationLimitInDays\":{\"value\":\"[parameters('ExpirationLimitInDays')]\"},\"CertificateThumbprintsToInclude\":{\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},\"CertificateThumbprintsToExclude\":{\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},\"IncludeExpiredCertificates\":{\"value\":\"[parameters('IncludeExpiredCertificates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateStorePath\":{\"type\":\"string\"},\"ExpirationLimitInDays\":{\"type\":\"string\"},\"CertificateThumbprintsToInclude\":{\"type\":\"string\"},\"CertificateThumbprintsToExclude\":{\"type\":\"string\"},\"IncludeExpiredCertificates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1670 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6108469-57ee-4666-af7e-79ba61c7ae0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1190 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c66a3d1e-465b-4f28-9da5-aef701b59892\"},{\"properties\":{\"displayName\":\"Microsoft + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', + ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', + ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', + ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft + Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft + Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration - / Scanning And Monitoring Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c69b870e-857b-458b-af02-bb234f7a00d3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1125 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1619 - Information In Shared Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c722e569-cb52-45f3-a643-836547d016e1\"},{\"properties\":{\"displayName\":\"Microsoft + / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft + Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft + Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation - With Physical Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before - they reach the Function app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"equals\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1353 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c785ad59-f78f-44ad-9a7f-d1202318c748\"},{\"properties\":{\"displayName\":\"Email + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft + Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server - advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that 'email notification to admins and subscription owners' is enabled in + advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Batch Account to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c84e5349-db6d-4769-805e-e14037dab9b5\"},{\"properties\":{\"displayName\":\"[Deprecated]: - API App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: + API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForApiApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1470 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c89ba09f-2e0f-44d0-8095-65b05bd151ef\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Interactive Logon'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8abcef9-fc26-482f-b8db-5fa60ee4586d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1018 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9121abf-e698-4ee9-b1cf-71ee528ff07f\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Data Lake Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + category: ''Security Options - Interactive Logon''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic + logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c95c74d9-38fe-4f0d-af86-0c7d626a315c\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'User Rights Assignment'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c961dac9-5916-42e8-8fb1-703148323994\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''User Rights Assignment''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPendingReboot\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c96f3246-4382-4264-bf6b-af0b35e23c3c\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c","type":"Microsoft.Authorization/policyDefinitions","name":"c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. - A storage account with name '{storagePrefixParameter}{NSGLocation}' will be - automatically created.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"storagePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Storage - Account Prefix for Regional Storage Account\",\"description\":\"This prefix - will be combined with the network security group location to form the created - storage account name.\"}},\"rgName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource - Group Name for Storage Account (must exist)\",\"description\":\"The resource - group that the storage account will be created in. This resource group must - already exist.\",\"strongType\":\"ExistingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"setbypolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"},\"nsgName\":{\"type\":\"string\"},\"rgName\":{\"type\":\"string\"}},\"variables\":{\"storageDeployName\":\"[concat('policyStorage_', - uniqueString(parameters('location'), parameters('nsgName')))]\"},\"resources\":[{\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\"name\":\"[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]\",\"apiVersion\":\"2017-05-01-preview\",\"location\":\"[parameters('location')]\",\"dependsOn\":[\"[variables('storageDeployName')]\"],\"properties\":{\"storageAccountId\":\"[reference(variables('storageDeployName')).outputs.storageAccountId.value]\",\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}}]}},{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('storageDeployName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('rgName')]\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-06-01\",\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[concat(parameters('storageprefix'), - parameters('location'))]\",\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"Storage\",\"location\":\"[parameters('location')]\",\"tags\":{\"created-by\":\"policy\"},\"scale\":null,\"properties\":{\"networkAcls\":{\"bypass\":\"AzureServices\",\"defaultAction\":\"Allow\",\"ipRules\":[],\"virtualNetworkRules\":[]},\"supportsHttpsTrafficOnly\":true}}],\"outputs\":{\"storageAccountId\":{\"type\":\"string\",\"value\":\"[resourceId(parameters('rgName'), - 'Microsoft.Storage/storageAccounts',concat(parameters('storagePrefix'), parameters('location')))]\"}}}}}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"},\"nsgName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\"},{\"properties\":{\"displayName\":\"Storage - accounts should allow access from trusted Microsoft services\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Some + A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + Account Prefix for Regional Storage Account","description":"This prefix will + be combined with the network security group location to form the created storage + account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource + Group Name for Storage Account (must exist)","description":"The resource group + that the storage account will be created in. This resource group must already + exist.","strongType":"ExistingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/networkSecurityGroups"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"setbypolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"},"nsgName":{"type":"string"},"rgName":{"type":"string"}},"variables":{"storageDeployName":"[concat(''policyStorage_'', + uniqueString(parameters(''location''), parameters(''nsgName'')))]"},"resources":[{"type":"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings","name":"[concat(parameters(''nsgName''),''/Microsoft.Insights/setbypolicy'')]","apiVersion":"2017-05-01-preview","location":"[parameters(''location'')]","dependsOn":["[variables(''storageDeployName'')]"],"properties":{"storageAccountId":"[reference(variables(''storageDeployName'')).outputs.storageAccountId.value]","logs":[{"category":"NetworkSecurityGroupEvent","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"NetworkSecurityGroupRuleCounter","enabled":true,"retentionPolicy":{"enabled":false,"days":0}}]}},{"apiVersion":"2017-05-10","name":"[variables(''storageDeployName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''rgName'')]","properties":{"mode":"incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"}},"resources":[{"apiVersion":"2017-06-01","type":"Microsoft.Storage/storageAccounts","name":"[concat(parameters(''storageprefix''), + parameters(''location''))]","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"[parameters(''location'')]","tags":{"created-by":"policy"},"scale":null,"properties":{"networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[],"virtualNetworkRules":[]},"supportsHttpsTrafficOnly":true}}],"outputs":{"storageAccountId":{"type":"string","value":"[resourceId(parameters(''rgName''), + ''Microsoft.Storage/storageAccounts'',concat(parameters(''storagePrefix''), + parameters(''location'')))]"}}}}}]},"parameters":{"location":{"value":"[field(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"},"rgName":{"value":"[parameters(''rgName'')]"},"nsgName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","type":"Microsoft.Authorization/policyDefinitions","name":"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89"},{"properties":{"displayName":"Storage + accounts should allow access from trusted Microsoft services","policyType":"BuiltIn","mode":"Indexed","description":"Some Microsoft services that interact with storage accounts operate from networks - that can't be granted access through network rules. To help this type of service - work as intended, allow the set of trusted Microsoft services to bypass the - network rules. These services will then use strong authentication to access - the storage account.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"exists\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"notContains\":\"AzureServices\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9d007d0-c057-4772-b18c-01e546713bcd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1035 - Least Privilege | Authorize Access To Security Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca94b046-45e2-444f-a862-dc8ce262a516\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1243 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca9a4469-d6df-4ab2-a42f-1213c396f0ec\"},{\"properties\":{\"displayName\":\"Microsoft + that can''t be granted access through network rules. To help this type of + service work as intended, allow the set of trusted Microsoft services to bypass + the network rules. These services will then use strong authentication to access + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft + Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft + Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. - Access To Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote + debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb510bfd-1cba-4d9f-a230-cb0976f4bb71\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1486 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb790345-a51f-43de-934e-98dbfaf9dca5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1167 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cbb2be76-4891-430b-95a7-ca0b0a3d1300\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1374 - Incident Response Assistance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc5c8616-52ef-4e5e-8000-491634ed9249\"},{\"properties\":{\"displayName\":\"Show + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft + Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft + Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft + Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not - contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc7cda28-f867-4311-8497-a526129a8d19\"},{\"properties\":{\"displayName\":\"[Preview]: - Sensitive data in your SQL databases should be classified\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedInstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlDataClassification\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\"},{\"properties\":{\"displayName\":\"Allowed - virtual machine SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of SKUs that can be specified for virtual machines.\",\"displayName\":\"Allowed - SKUs\",\"strongType\":\"VMSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"field\":\"Microsoft.Compute/virtualMachines/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cccc23c7-8427-4f53-ad12-b6a63eb452b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1443 - Media Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\"},{\"properties\":{\"displayName\":\"Inherit - a tag from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + list of SKUs that can be specified for virtual machines.","displayName":"Allowed + SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft + Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit + a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[resourceGroup().tags[parameters('tagName')]]\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd3aa116-8754-49c9-a813-ad46512ece54\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation if 'department' tag set\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation only if the 'department' tag is set\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags\",\"containsKey\":\"department\"}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd8dc879-a2ae-43c3-8211-1877c5755064\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1582 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs that allow re-use of the previous 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdbf72d9-ac9c-4026-8a3a-491a5ac59293\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1104 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdd8d244-18b2-4306-a1d1-df175ae0935f\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Privilege Use'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce2370f6-0ac5-4d85-8ab4-10721cc640b0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1209 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce669c31-9103-4552-ae9c-cdef4e03580d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1242 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3b3293-667a-445e-a722-fa0b0afc0958\"},{\"properties\":{\"displayName\":\"Microsoft + with non-compliant settings in Group Policy category: ''System Audit Policies + - Privilege Use''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft + Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft + Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications - And Anomalous System Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3e4836-f19e-47eb-a8cd-c3ca150452c0\"},{\"properties\":{\"displayName\":\"Microsoft + And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate - Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf55fc87-48e1-4676-a2f8-d9a8cf993283\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Key Vault should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf820ca0-f99e-4f3e-84fb-66e913812d21\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using - Sampling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d03516cf-0293-489f-9b32-a18f2a79f836\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1724 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d07594d1-0307-4c08-94db-5d71ff31f0f6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1084 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\"},{\"properties\":{\"displayName\":\"Add - or replace a tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft + Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft + Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add + or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d157c373-a6c4-483d-aaad-570756956268\"},{\"properties\":{\"displayName\":\"Enforce - SSL connection should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","type":"Microsoft.Authorization/policyDefinitions","name":"d157c373-a6c4-483d-aaad-570756956268"},{"properties":{"displayName":"Enforce + SSL connection should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps - protect against 'man-in-the-middle' attacks by encrypting the data stream - between the server and your application\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d158790f-bfb0-486c-8631-2dc6b4e8e6af\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1620 - Denial Of Service Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d17c826b-1dec-43e1-a984-7b71c446649c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1880188-e51a-4772-b2ab-68f5e8bd27f6\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Function Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + protect against ''man-in-the-middle'' attacks by encrypting the data stream + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft + Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft + Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\"},{\"properties\":{\"displayName\":\"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1e1d65c-1013-4484-bd54-991332e6a0d2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1721 - Spam Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1106 - Audit Events | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d2b4feae-61ab-423f-a4c5-0e38ac4464d8\"},{\"properties\":{\"displayName\":\"Microsoft + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft + Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft + Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation - Of Information Flows\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3531453-b869-4606-9122-29c1cd6e7ed1\"},{\"properties\":{\"displayName\":\"[Preview]: + Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is - not compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDscConfiguration\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38b4c26-9d2e-47d7-aefe-18d859a8706a\"},{\"properties\":{\"displayName\":\"Long-term - geo-redundant backup should be enabled for Azure SQL Databases\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies\",\"name\":\"default\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention\",\"notEquals\":\"PT0S\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38fc420-0735-4ef3-ac11-c806f651a570\"},{\"properties\":{\"displayName\":\"Microsoft + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic - Or Alternate Physical Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d39d4f68-7346-4133-8841-15318a714a24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1249 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3bf4251-0818-42db-950b-afd5b25a51c2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1562 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4142013-7964-4163-a313-a900301c2cef\"},{\"properties\":{\"displayName\":\"Virtual - machines should be connected to an approved virtual network\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft + Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft + Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual + machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"virtualNetworkId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual - network Id\",\"description\":\"Resource Id of the virtual network. Example: - /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id\",\"like\":\"[concat(parameters('virtualNetworkId'),'/*')]\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d416745a-506c-48b6-8ab1-83cb814bcaa3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1383 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4558451-e16a-4d2d-a066-fe12a6282bb9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1112 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d530aad8-4ee2-45f4-b234-c061dae683c0\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual + network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft + Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft + Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1585 - Security Engineering Principles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d57f8732-5cdc-4cda-8d27-ab148e1f3a55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1667 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d61880dc-6e38-4f2a-a30c-3406a98f8220\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1150 - Security Assessments | External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d630429d-e763-40b1-8fba-d20ba7314afb\"},{\"properties\":{\"displayName\":\"Event - Hub should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft + Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft + Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft + Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event + Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d63edb4a-c612-454d-b47d-191a724fcbf0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1549 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d6976a08-d969-4df2-bb38-29556c2eb48a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1473 - Emergency Power\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7047705-d719-46a7-8bb0-76ad233eba71\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1529 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d74fdc92-1cb8-4a34-9978-8556425cd14c\"},{\"properties\":{\"displayName\":\"Microsoft + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft + Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft + Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft + Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) - | Use Of FICAM-Issued Profiles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d77fd943-6ba6-4a21-ba07-22b03e347cc4\"},{\"properties\":{\"displayName\":\"Show + | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not - enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows Server virtual machines on which Windows Serial Console is - not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7ccd0ca-8d78-42af-a43d-6b7f928accbc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1016 - Account Management | Automated Audit Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8b43277-512e-40c3-ab00-14b3b6e72238\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1488 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8ef30eb-a44f-47af-8524-ac19a36d41d2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d922484a-8cfc-4a6b-95a4-77d6a685407f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1271 - Alternate Storage Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3bfb53-9c46-4010-b3db-a7ba1296dada\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1516 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3cd269-156f-435b-b472-c3af34c032ed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Batch Account to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + enabled","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + Server virtual machines on which Windows Serial Console is not enabled. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft + Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft + Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft + Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft + Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"db51110f-0865-4a6e-b274-e2e07a5b2cd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1277 - Alternate Processing Site | Priority Of Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dc43e829-3d50-4a0a-aa0f-428d551862aa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1439 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dce72873-c5f1-47c3-9b4f-6b8207fd5a45\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft + Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft + Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related - Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd280d4b-50a1-42fb-a479-ece5878acf19\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd2ea520-6b06-45c3-806e-ea297c23e06a\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Policy Change'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd4680ed-0559-4a6a-ad10-081d14cbb484\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''System Audit Policies - Policy Change''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated - Response To Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd469ae0-71a8-4adc-aafc-de6949ca3339\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1678 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd533cb0-b416-4be7-8e86-4d154824dfd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1391 - Information Spillage Response | Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd6ac1a1-660e-4810-baa8-74e868e2ed47\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1146 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd83410c-ecb6-4547-8f14-748c3cbdc7ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1602 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddae2e97-a449-499f-a1c8-aea4a7e52ec9\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Settings - - Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft + Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft + Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft + Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft + Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Settings + - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Settings - Account Policies'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddb53c61-9db4-41d4-a953-2abff5b66c12\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''Security Settings - Account Policies''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Recovery console'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Recovery console: Allow floppy copy and access to all drives and all folders\",\"description\":\"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue', - '=', parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsRecoveryconsole\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1689 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"de901f2f-a01a-4456-97f0-33cda7966172\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1528 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"deb9797c-22f8-40e8-b342-a84003c924e6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dff0b90d-5a6f-491c-b2f8-b90aa402d844\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e01598e8-6538-41ed-95e8-8b29746cd697\"},{\"properties\":{\"displayName\":\"Cosmos - DB should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft + Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft + Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft + Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos + DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},{\"field\":\"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\"},{\"properties\":{\"displayName\":\"Microsoft + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / - Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0de232d-02a0-4652-872d-88afb4ae5e91\"},{\"properties\":{\"displayName\":\"Deploy + Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows - PowerShell execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ExecutionPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell - Execution Policy\",\"description\":\"The expected PowerShell execution policy.\"},\"allowedValues\":[\"AllSigned\",\"Bypass\",\"Default\",\"RemoteSigned\",\"Restricted\",\"Undefined\",\"Unrestricted\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy', - '=', parameters('ExecutionPolicy')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellExecutionPolicy\"},\"ExecutionPolicy\":{\"value\":\"[parameters('ExecutionPolicy')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ExecutionPolicy\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0efc13a-122a-47c5-b817-2ccfe5d12615\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated - Notifications Of Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e12494fa-b81e-4080-af71-7dbacc2da0ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1686 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e17085c5-0be8-4423-b39b-a52d3d1402e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1722 - Spam Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1da06bd-25b6-4127-a301-c313d6873fff\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in security configuration on your machines should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft + Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft + Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities + in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"osVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1047 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1276 - Alternate Processing Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e214e563-1206-4a43-a56b-ac5880c9c571\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1560 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e29e0915-5c2f-4d09-8806-048b749ad763\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft + Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft + Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft + Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2c1c086-2d84-4019-bff3-c44ccd95113c\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: + Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2dd799a-a932-4e9d-ac17-d473bc3c6c10\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1161 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1387 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3007185-3857-43a9-8237-06ca94f1084c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1479 - Fire Protection | Automatic Fire Suppression\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e327b072-281d-4f75-9c28-4216e5d72f26\"},{\"properties\":{\"displayName\":\"Azure - VPN gateways should not use 'basic' SKU\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that VPN gateways do not use 'basic' SKU.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworkGateways\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/gatewayType\",\"equals\":\"Vpn\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/sku.tier\",\"equals\":\"Basic\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\"},{\"properties\":{\"displayName\":\"MFA - should be enabled on accounts with read permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft + Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft + Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft + Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure + VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3576e28-8b17-4677-84c3-db2990658d64\"},{\"properties\":{\"displayName\":\"RDP - access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits any network security rule that allows RDP access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"3389\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), - contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), - contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))))),3389), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), - contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), - contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))))),3389), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e372f825-a257-4fb8-9175-797a8a8627d6\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Shutdown'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3a77a94-cf41-4ee8-b45c-98be28841c03\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - - Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Shutdown''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings + - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Settings - - Account Policies'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Settings + - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnforcePasswordHistory\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enforce password history\",\"description\":\"Specifies limits on password - reuse - how many times a new password must be created for a user account before - the password can be repeated.\"},\"defaultValue\":\"24\"},\"MaximumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Maximum password age\",\"description\":\"Specifies the maximum number of days + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days that may elapse before a user account password must be changed. The format - of the value is two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,70\"},\"MinimumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum password age\",\"description\":\"Specifies the minimum number of days - that must elapse before a user account password can be changed.\"},\"defaultValue\":\"1\"},\"MinimumPasswordLength\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum password length\",\"description\":\"Specifies the minimum number of - characters that a user account password may contain.\"},\"defaultValue\":\"14\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Password must meet complexity requirements\",\"description\":\"Specifies whether + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether a user account password must be complex. If required, a complex password must - not contain part of user's account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enforce - password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), - ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), - ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), - ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), - ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecuritySettingsAccountPolicies\"},\"EnforcePasswordHistory\":{\"value\":\"[parameters('EnforcePasswordHistory')]\"},\"MaximumPasswordAge\":{\"value\":\"[parameters('MaximumPasswordAge')]\"},\"MinimumPasswordAge\":{\"value\":\"[parameters('MinimumPasswordAge')]\"},\"MinimumPasswordLength\":{\"value\":\"[parameters('MinimumPasswordLength')]\"},\"PasswordMustMeetComplexityRequirements\":{\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnforcePasswordHistory\":{\"type\":\"string\"},\"MaximumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordLength\":{\"type\":\"string\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce - password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum - password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum - password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum - password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password - must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce - password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum - password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum - password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum - password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password - must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3d95ab7-f47a-49d8-a347-784177b6c94c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1451 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3f1e5a3-25c1-4476-8cb6-3955031f8e65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1357 - Incident Response Training | Automated Training Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e4213689-05e8-4241-9d4e-8dd1cdafd105\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), + '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), + '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), + '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), + '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft + Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft + Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - User Account Control'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Admin Approval Mode for the Built-in Administrator account\",\"description\":\"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account.\"},\"defaultValue\":\"1\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: UAC: Behavior of the elevation prompt for administrators in Admin Approval - Mode\",\"description\":\"Specifies the behavior of the elevation prompt for - administrators.\"},\"defaultValue\":\"2\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Detect application installations and prompt for elevation\",\"description\":\"Specifies - the behavior of application installation detection for the computer.\"},\"defaultValue\":\"1\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Run all administrators in Admin Approval Mode\",\"description\":\"Specifies - the behavior of all User Account Control (UAC) policy settings for the computer.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', - '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), - ',', 'User Account Control: Behavior of the elevation prompt for administrators - in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), - ',', 'User Account Control: Detect application installations and prompt for - elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), - ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', - '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsUserAccountControl\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"string\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"string\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"string\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', + ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), + '','', ''User Account Control: Behavior of the elevation prompt for administrators + in Admin Approval Mode;ExpectedValue'', ''='', parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode''), + '','', ''User Account Control: Detect application installations and prompt + for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), + '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin - Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User - Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin - Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User - Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e425e402-a050-45e5-b010-bd3f934589fc\"},{\"properties\":{\"displayName\":\"Microsoft + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted - Static Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e51ff84b-e5ea-408f-b651-2ecc2933e4c6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1381 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5368258-9684-4567-8126-269f34e65eab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1421 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e539caaa-da8c-41b8-9e1e-449851e2f7a6\"},{\"properties\":{\"displayName\":\"Microsoft + Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft + Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft + Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration - Of Detection And Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e54c325e-42a0-4dcf-b105-046e0f6f590f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1023 - Account Management | Usage Conditions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\"},{\"properties\":{\"displayName\":\"Allowed - locations\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables you to restrict the locations your organization can specify - when deploying resources. Use to enforce your geo-compliance requirements. - Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and - resources that use the 'global' region.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources.\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"},{\"field\":\"location\",\"notEquals\":\"global\"},{\"field\":\"type\",\"notEquals\":\"Microsoft.AzureActiveDirectory/b2cDirectories\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e56962a6-4747-49cd-b67b-bf8b01975c4c\"},{\"properties\":{\"displayName\":\"Microsoft + Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft + Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed + locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy + enables you to restrict the locations your organization can specify when deploying + resources. Use to enforce your geo-compliance requirements. Excludes resource + groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed + locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction - Recovery\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e57b98a0-a011-4956-a79d-5d17ed8b8e48\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1499 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e59671ab-9720-4ee2-9c60-170e8c82251e\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft + Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Accounts'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AccountsGuestAccountStatus\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Accounts: Guest account status\",\"description\":\"Specifies whether the local - Guest account is disabled.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Accounts: - Guest account status;ExpectedValue', '=', parameters('AccountsGuestAccountStatus')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAccounts\"},\"AccountsGuestAccountStatus\":{\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AccountsGuestAccountStatus\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: - Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: - Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5b81f87-9185-4224-bf00-9f505e9f89f3\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Node.js Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestNodeJS\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e67687e8-08d5-4e7f-8226-5b4753bba008\"},{\"properties\":{\"displayName\":\"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access - To Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e6e41554-86b5-4537-9f7f-4fc41a1d1640\"},{\"properties\":{\"displayName\":\"Subnets - should be associated with a Network Security Group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets + should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnSubnets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e71308d3-144b-4262-b144-efdc3cc90517\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1567 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e72edbf6-aa61-436d-a227-0f32b77194b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1311 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7568697-0c9e-4ea3-9cec-9e567d14f3c6\"},{\"properties\":{\"displayName\":\"Advanced - Threat Protection types should be set to 'All' in SQL server Advanced Data - Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft + Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft + Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced + Threat Protection types should be set to ''All'' in SQL server Advanced Data + Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e756b945-1b1b-480b-8de8-9a0859d5f7ad\"},{\"properties\":{\"displayName\":\"Microsoft + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National - Security System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\"},{\"properties\":{\"displayName\":\"Allowed - locations for resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed + locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that resource groups can be created in.\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e765b5de-1225-4ba3-bd56-1ac6695af988\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1273 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e77fcbf2-a1e8-44f1-860e-ed6583761e65\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed + locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft + Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e797f851-8be7-4c40-bb56-2e3395215b0e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1169 - Continuous Monitoring | Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7ba2cb3-5675-4468-8b50-8486bdd998a5\"},{\"properties\":{\"displayName\":\"Enforce - SSL connection should be enabled for MySQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce + SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against - 'man in the middle' attacks by encrypting the data stream between the server - and your application.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e802a67a-daf5-4436-9ea6-f6d821dd0c5d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1237 - Software Usage Restrictions | Open Source Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e80b6812-0bfa-4383-8223-cdd86a46a890\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in container security configurations should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + ''man in the middle'' attacks by encrypting the data stream between the server + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft + Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities + in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachineScaleSets\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ContainerBenchmark\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8cbc669-f12d-49eb-93e7-9273119e9933\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Storage Gen1 to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1626 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8f6bddd-6d67-439a-88d4-c5fe39a79341\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e901375c-8f01-4ac8-9183-d5312f47fe63\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1723 - Information Input Validation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e91927a0-ac1d-44a0-95f8-5185f9dfce9f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1200 - Security Impact Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e98fe9d7-2ed3-44f8-93b7-24dca69783ff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1487 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c3371d-c30c-4f58-abd9-30b8a8199571\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for API Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft + Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft + Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft + Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft + Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote + debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1363 - Incident Handling | Automated Incident Handling Processes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3e8156-89a1-45b1-8bd6-938abc79fdfd\"},{\"properties\":{\"displayName\":\"Inherit - a tag from the resource group if missing\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit + a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3f2387-9b95-492a-a190-fcdc54f7b070\"},{\"properties\":{\"displayName\":\"Key - Vault should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key + Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea4d6841-2173-4317-9747-ff522a45120f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1422 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea556850-838d-4a37-8ce5-9d7642f95e11\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1542 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eab340d0-3d55-4826-a0e5-feebfeb0131d\"},{\"properties\":{\"displayName\":\"Ensure - Function app has 'Client Certificates (Incoming client certificates)' set - to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eaebaea7-8013-4ceb-9d14-7eb32271373c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1064 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1321 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb627cc6-3a9d-46b5-96b7-5fca49178a37\"},{\"properties\":{\"displayName\":\"Log - checkpoints should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft + Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure + Function app has ''Client Certificates (Incoming client certificates)'' set + to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft + Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft + Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log + checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_checkpoints\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\"},{\"properties\":{\"displayName\":\"Log - connections should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log + connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_connections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\"},{\"properties\":{\"displayName\":\"Disconnections - should be logged for PostgreSQL database servers.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections + should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_disconnections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\"},{\"properties\":{\"displayName\":\"Log - duration should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log + duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_duration\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\"},{\"properties\":{\"displayName\":\"Deprecated - accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated - accounts with owner permissions should be removed from your subscription. - \ Deprecated accounts are accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ebb62a0c-3560-49e1-89ed-27e074e9f8ad\"},{\"properties\":{\"displayName\":\"[Preview]: + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated + accounts with owner permissions should be removed from your subscription. Deprecated + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from - accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid110\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec49586f-4939-402d-a29e-6ff502b20592\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - Control Panel'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesControlPanel\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec7ac234-2af5-4729-94d2-c557c071799d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eca4d7b2-65e2-4e04-95d4-c68606b063c3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1622 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ecf56554-164d-499a-8d00-206b07c27bed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Key Vault to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - Control Panel''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft + Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft + Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vaultName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('vaultName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - diagnostic settings for ', parameters('vaultName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"vaultName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ed7c8c13-51e7-49d1-8a43-8490431a0da2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1217 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edea4f20-b02c-4115-be75-86c080e5c0ed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Stream Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft + Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edf3780c-3d70-40fe-b17e-ab72013dafca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1189 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ee45e02a-4140-416c-82c4-fecfea660b9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1089 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef080e67-0d1a-4f76-a0c5-fb9b0358485e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1314 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef0c8530-efd9-45b8-b753-f03083d06295\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1128 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef212163-3bc4-4e86-bcf8-705127086393\"},{\"properties\":{\"displayName\":\"Vulnerability - assessment should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft + Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft + Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft + Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft + Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Event Hub to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1472 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef869332-921d-4c28-9402-3be73e6e50c8\"},{\"properties\":{\"displayName\":\"The - Log Analytics agent should be installed on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft + Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The + Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efbde977-ba53-4479-b8e9-10b957924fbf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1012 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1358 - Incident Response Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"effbaeef-5bf4-400d-895e-ef8cbc0e64c7\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft + Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft + Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0473e7a-a1ba-4e86-afb2-e829e11b01d8\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the applications that should not be installed. e.g. 'Microsoft - SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL - Server 2014*' (to match any application starting with 'Microsoft SQL Server - 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]NotInstalledApplicationResource1;Name', - '=', parameters('ApplicationName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"NotInstalledApplication\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0633351-c7b2-41ff-9981-508fc08553c2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1531 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0643e0c-eee5-4113-8684-c608d05c5236\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1028 - Information Flow Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f171df5c-921b-41e9-b12b-50801c315475\"},{\"properties\":{\"displayName\":\"Virtual - networks should use specified virtual network gateway\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names (supports wildcards)","description":"A semicolon-separated list of the + names of the applications that should not be installed. e.g. ''Microsoft SQL + Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft + Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest + TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft + Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual + networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"virtualNetworkGatewayId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual - network gateway Id\",\"description\":\"Resource Id of the virtual network - gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Network/virtualNetworks/subnets\",\"name\":\"GatewaySubnet\",\"existenceCondition\":{\"not\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id\",\"notContains\":\"[concat(parameters('virtualNetworkGatewayId'), - '/')]\"}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1776c76-f58c-4245-a8d0-2b207198dc8b\"},{\"properties\":{\"displayName\":\"[Preview]: + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual + network gateway Id","description":"Resource Id of the virtual network gateway. + Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), + ''/'')]"}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","type":"Microsoft.Authorization/policyDefinitions","name":"f1776c76-f58c-4245-a8d0-2b207198dc8b"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions - set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that do not have the passwd file permissions set to 0644. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid121\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f19aa1c1-6b91-4c27-ae6a-970279f03db9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative - Templates - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + set to 0644","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Linux virtual machines that + do not have the passwd file permissions set to 0644. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Adminstrative Templates - - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1f4825d-58fb-4257-8016-8c00e3c9ed9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1701 - Information System Monitoring | Host-Based Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f25bc08f-27cb-43b6-9a23-014d00700426\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1457 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f2d9d3e6-8886-4305-865d-639163e5c305\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft + Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft + Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance - Of Piv Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f355d62b-39a8-4ba3-abf7-90f71cb3b000\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1615 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\"},{\"properties\":{\"displayName\":\"Microsoft + Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft + Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3793f5e-937f-44f7-bfba-40647ef3efa0\"},{\"properties\":{\"displayName\":\"Show + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not - contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b44e5d-1456-475f-9c67-c66c4618e85a\"},{\"properties\":{\"displayName\":\"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates - in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows VMs that do not contain the specified certificates in the - Trusted Root Certification Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b9ad83-000d-4dc1-bff0-6d54533dd03f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1706 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f475ee0e-f560-4c9b-876b-04a77460a404\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Workspace for VM - Report Mismatch\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + VMs that do not contain the specified certificates in the Trusted Root Certification + Authorities certificate store (Cert:\\LocalMachine\\Root). For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalyticsWorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics Workspace Id that VMs should be configured for\",\"description\":\"This + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for.\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"notEquals\":\"[parameters('logAnalyticsWorkspaceId')]\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f47b5582-33ec-4c5c-87c0-b010a6b2e917\"},{\"properties\":{\"displayName\":\"Authorization - rules on the Event Hub instance should be defined\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization + rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Event Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/eventhubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/eventHubs/authorizationRules\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4826e5f-6a27-407c-ae3e-9582eb39891d\"},{\"properties\":{\"displayName\":\"[Preview]: + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity - setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have the password complexity - setting enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f48b2913-1dc5-4834-8c72-ccc1dfd819bb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1495 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4978d0e-a596-48e7-9f8c-bbf52554ce8d\"},{\"properties\":{\"displayName\":\"[Preview]: + setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have the password complexity setting enabled. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the - specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NumberOfDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Number of days\",\"description\":\"The number of days without restart until - the machine is considered non-compliant\"},\"defaultValue\":\"12\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[MachineUpTime]MachineLastBootUpTime;NumberOfDays', - '=', parameters('NumberOfDays')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MachineLastBootUpTime\"},\"NumberOfDays\":{\"value\":\"[parameters('NumberOfDays')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NumberOfDays\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4b245d4-46c9-42be-9b1a-49e2b5b94194\"},{\"properties\":{\"displayName\":\"Deploy - Auditing on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","type":"Microsoft.Authorization/policyDefinitions","name":"f4b245d4-46c9-42be-9b1a-49e2b5b94194"},{"properties":{"displayName":"Deploy + Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"retentionDays\":{\"type\":\"String\",\"metadata\":{\"description\":\"The - value in days of the retention period (0 indicates unlimited retention)\",\"displayName\":\"Retention - days (optional, 180 days if unspecified)\"},\"defaultValue\":\"180\"},\"storageAccountsResourceGroup\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource - group name for storage accounts\",\"description\":\"Auditing writes database - events to an audit log in your Azure Storage account (a storage account will - be created in each region where a SQL Server is created that will be shared - by all servers in that region). Important - for proper operation of Auditing - do not delete or rename the resource group or the storage accounts.\",\"strongType\":\"existingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"auditRetentionDays\":{\"type\":\"string\"},\"storageAccountsResourceGroup\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"retentionDays\":\"[int(parameters('auditRetentionDays'))]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), - parameters('location'), parameters('storageAccountsResourceGroup'))]\",\"locationCode\":\"[substring(parameters('location'), - 0, 3)]\",\"storageName\":\"[tolower(concat('sqlaudit', variables('locationCode'), - variables('uniqueStorage')))]\",\"createStorageAccountDeploymentName\":\"[concat('sqlServerAuditingStorageAccount-', - uniqueString(variables('locationCode'), parameters('serverName')))]\"},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('createStorageAccountDeploymentName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('storageAccountsResourceGroup')]\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storageName\":{\"value\":\"[variables('storageName')]\"}},\"templateLink\":{\"uri\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json\",\"contentVersion\":\"1.0.0.0\"}}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"storageEndpoint\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]\",\"storageAccountAccessKey\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountKey.value]\",\"retentionDays\":\"[variables('retentionDays')]\",\"auditActionsAndGroups\":null,\"storageAccountSubscriptionId\":\"[subscription().subscriptionId]\",\"isStorageSecondaryKeyInUse\":false}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"auditRetentionDays\":{\"value\":\"[parameters('retentionDays')]\"},\"storageAccountsResourceGroup\":{\"value\":\"[parameters('storageAccountsResourceGroup')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4c68484-132f-41f9-9b6d-3e4b1cb55036\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1469 - Power Equipment And Cabling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1618 - Security Function Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f52f89aa-4489-4ec4-950e-8c96a036baa9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention + days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource + group name for storage accounts","description":"Auditing writes database events + to an audit log in your Azure Storage account (a storage account will be created + in each region where a SQL Server is created that will be shared by all servers + in that region). Important - for proper operation of Auditing do not delete + or rename the resource group or the storage accounts.","strongType":"existingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"Default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"auditRetentionDays":{"type":"string"},"storageAccountsResourceGroup":{"type":"string"},"location":{"type":"string"}},"variables":{"retentionDays":"[int(parameters(''auditRetentionDays''))]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + parameters(''location''), parameters(''storageAccountsResourceGroup''))]","locationCode":"[substring(parameters(''location''), + 0, 3)]","storageName":"[tolower(concat(''sqlaudit'', variables(''locationCode''), + variables(''uniqueStorage'')))]","createStorageAccountDeploymentName":"[concat(''sqlServerAuditingStorageAccount-'', + uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft + Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft + Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Network Access'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Remotely accessible registry paths\",\"description\":\"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry - key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\ProductOptions|#|System\\\\CurrentControlSet\\\\Control\\\\Server - Applications|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Remotely accessible registry paths and sub-paths\",\"description\":\"Specifies + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` - registry key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Printers|#|System\\\\CurrentControlSet\\\\Services\\\\Eventlog|#|Software\\\\Microsoft\\\\OLAP - Server|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print|#|Software\\\\Microsoft\\\\Windows - NT\\\\CurrentVersion\\\\Windows|#|System\\\\CurrentControlSet\\\\Control\\\\ContentIndex|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal - Server|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\UserConfig|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal - Server\\\\DefaultUserConfiguration|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Perflib|#|System\\\\CurrentControlSet\\\\Services\\\\SysmonLog\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Shares that can be accessed anonymously\",\"description\":\"Specifies + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network - access: Remotely accessible registry paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPaths'), - ',', 'Network access: Remotely accessible registry paths and sub-paths;ExpectedValue', - '=', parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'), - ',', 'Network access: Shares that can be accessed anonymously;ExpectedValue', - '=', parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkAccess\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"string\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network - access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network - access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network - access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network - access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56a3ab2-89d1-44de-ac0d-2ada5962e22a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1198 - Configuration Change Control | Security Representative\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56be5c3-660b-4c61-9078-f67cf072c356\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1328 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5c66fdc-3d02-4034-9db5-ba57802609de\"},{\"properties\":{\"displayName\":\"Microsoft + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), + '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', + ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), + '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft + Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft + Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5fd629f-3075-4cae-ab53-bad65495a4ac\"},{\"properties\":{\"displayName\":\"Internet-facing - virtual machines should be protected with Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). To learn more about controlling traffic with NSGs, visit - https://aka.ms/nsg-doc\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnVirtualMachines\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1214 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f714a4e2-b580-47b6-ae8c-f2812d3750f3\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft + Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions - / Ports / Protocols / Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f751cdb7-fbee-406b-969b-815d367cb9b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1330 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f75cedb2-5def-4b31-973e-b69e8c7bd031\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1540 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f771f8cb-6642-45cc-9a15-8a41cd5c6977\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1449 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1506 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\"},{\"properties\":{\"displayName\":\"Show + / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft + Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft + Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft + Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft + Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell - execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + execution policy","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8036bd0-c10b-4931-86bb-94a878add855\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1705 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f82e3639-fa2b-4e06-a786-932d8379b972\"},{\"properties\":{\"displayName\":\"External - accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External + accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8456c1c-aa66-4dfb-861a-25d127b775c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1345 - Cryptographic Module Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1065 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f87b8085-dca9-4cf1-8f7b-9822b997797c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft + Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft + Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - System'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''System Audit Policies + - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditOtherSystemEvents\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Other System Events\",\"description\":\"Specifies whether audit events - are generated for Windows Firewall Service and Windows Firewall driver start - and stop events, failure events for these services and Windows Firewall Service - policy processing failures.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Other System Events;ExpectedValue', '=', parameters('AuditOtherSystemEvents')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesSystem\"},\"AuditOtherSystemEvents\":{\"value\":\"[parameters('AuditOtherSystemEvents')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditOtherSystemEvents\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8b0158d-4766-490f-bea0-259e52dba473\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Service Bus should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic + logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Service - Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8d36e2f-389b-4ee4-898d-21aeb69a0f45\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement - / Auditing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9012d14-e3e6-4d7b-b926-9f37b5537066\"},{\"properties\":{\"displayName\":\"Microsoft + / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert - Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9873db2-18ad-46b3-a11a-1a1f8cbf0335\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1478 - Fire Protection | Suppression Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f997df46-cfbb-4cc8-aac8-3fecdaf6a183\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1535 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9a165d2-967d-4733-8399-1074270dae2e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1108 - Content Of Audit Records | Additional Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9ad559e-c12d-415e-9a78-e50fdd7da7ba\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Azure Stream Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft + Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft + Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft + Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic + logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Stream - Analytics\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingJobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9be5368-9bf5-4b84-9e0a-7850da98bb46\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9d614c5-c173-4d56-95a7-b4437057d193\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa108498-b3a8-4ffb-9e79-1107e76afad3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1037 - Least Privilege | Network Access To Privileged Commands\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa4c2a3d-1294-41a3-9ada-0e540471e9fb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1435 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa8d221b-d130-4637-ba16-501e666628bb\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft + Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft + Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft + Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks - For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"facb66e0-1c48-478a-bed5-747a312323e1\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to enable Guest Configuration Policy on Linux VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy + prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforLinux\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforLinux\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1086 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb321e6f-16a0-4be3-878f-500956e309c5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1222 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb39e62f-6bda-4558-8088-ec03d5670914\"},{\"properties\":{\"displayName\":\"[Preview]: - Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft + Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft + Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: + Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.13.4\",\"1.13.3\",\"1.13.2\",\"1.13.1\",\"1.13.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.12.6\",\"1.12.5\",\"1.12.4\",\"1.12.3\",\"1.12.2\",\"1.12.1\",\"1.12.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.11.8\",\"1.11.7\",\"1.11.6\",\"1.11.5\",\"1.11.4\",\"1.11.3\",\"1.11.2\",\"1.11.1\",\"1.11.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.10.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.9.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.8.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.7.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.6.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.5.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.4.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.3.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.2.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.1.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.0.*\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb893a29-21bb-418c-a157-e99480ec364c\"},{\"properties\":{\"displayName\":\"Storage + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage account containing the container with activity logs must be encrypted with - BYOK\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits if the Storage account containing the container with activity - logs is encrypted with BYOK. The policy works only if the storage account - lies on the same subscription as activity logs by design. More information - on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. - \",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Insights/logProfiles\"},{\"field\":\"Microsoft.Insights/logProfiles/storageAccountId\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Storage/storageAccounts\",\"existenceScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"value\":\"[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), - subscription().Id)]\",\"equals\":\"true\"},{\"field\":\"name\",\"equals\":\"[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]\"},{\"field\":\"Microsoft.Storage/storageAccounts/encryption.keySource\",\"equals\":\"Microsoft.Keyvault\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based - \ Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fc933d22-04df-48ed-8f87-22a3773d4309\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft + Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Microsoft Network Client'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fcbc55c9-f25a-4e55-a6cb-33acb3be778b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1318 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fced5fda-3bdb-4d73-bfea-0e2c80428b66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1543 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd00b778-b5b5-49c0-a994-734ea7bd3624\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Security Options - Microsoft Network Client''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft + Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated - Alerts And Advisories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4a2ac8-868a-4702-a345-6c896c3361ce\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1299 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4e54f7-9ab0-4bae-b6cc-457809948a89\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1627 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd73310d-76fc-422d-bda4-3a077149f179\"},{\"properties\":{\"displayName\":\"Microsoft + Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft + Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft + Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time - Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1611 - Developer-Provided Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1405 - Maintenance Tools | Inspect Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1613 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe2ad78b-8748-4bff-a924-f74dfca93f30\"},{\"properties\":{\"displayName\":\"Show - audit results from Linux VMs that do not have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft + Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft + Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show + audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fee5cb2b-9d9b-410e-afe3-2902d90d0004\"},{\"properties\":{\"displayName\":\"Vulnerabilities - on your SQL databases should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Monitor + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedinstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"feedbf84-6b99-488c-acc2-71c829aa5ffc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ff9fbd83-1d8d-4b41-aac2-94cb44b33976\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1158 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fff50cf2-28eb-45b4-b378-c99412688907\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificate validity period\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the maximum validity period for certificates in months.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"maximumValidityInMonths\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The maximum validity in months\",\"description\":\"The limit to how long a - certificate may be valid for. Certificates with lengthy validity periods aren't - best practice.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths\",\"greater\":\"[parameters('maximumValidityInMonths')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a075868-4c26-42ef-914c-5bc007359560\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure containers listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft + Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: + Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate + may be valid for. Certificates with lengthy validity periods aren''t best + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedContainerPortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container ports regex\",\"description\":\"Regex representing container ports - allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerPortsRegex\":\"[parameters('allowedContainerPortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f636243-1b1c-4d50-880f-310f6199f2cb\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage allowed certificate key types\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the allowed key types for certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedKeyTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed key types\",\"description\":\"The list of allowed certificate key - types.\"},\"allowedValues\":[\"RSA\",\"RSA-HSM\",\"EC\",\"EC-HSM\"],\"defaultValue\":[\"RSA\",\"RSA-HSM\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"notIn\":\"[parameters('allowedKeyTypes')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1151cede-290b-4ba0-8b38-0ad145ac888f\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificate lifetime action triggers\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed + container ports regex","description":"Regex representing container ports allowed + in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: + Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"maximumPercentageLife\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The maximum lifetime percentage\",\"description\":\"Enter the percentage of - lifetime of the certificate when you want to trigger the policy action. For - example, to trigger a policy action at 80% of the certificate's valid life, - enter '80'.\"}},\"minimumDaysBeforeExpiry\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The minimum days before expiry\",\"description\":\"Enter the days before expiration + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, - to trigger a policy action 90 days before the certificate's expiration, enter - '90'.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"less\":\"[parameters('minimumDaysBeforeExpiry')]\"}]},{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"greater\":\"[parameters('maximumPercentageLife')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ef42cb-9903-4e39-9c26-422d29570417\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce labels on pods in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + to trigger a policy action at 80% of the certificate''s valid life, enter + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration + of the certificate when you want to trigger the policy action. For example, + to trigger a policy action 90 days before the certificate''s expiration, enter + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"commaSeparatedListOfLabels\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Comma-separated - list of labels\",\"description\":\"A comma-separated list of labels to be - specified on Pods in Kubernetes cluster. E.g. test1,test2\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"PodEnforceLabels\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"commaSeparatedListOfLabels\":\"[parameters('commaSeparatedListOfLabels')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16c6ca72-89d2-4798-b87e-496f9de7fcb7\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated + list of labels","description":"A comma-separated list of labels to be specified + on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedServicePortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - service ports list\",\"description\":\"The list of service ports allowed in - a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml\",\"values\":{\"allowedServicePorts\":\"[parameters('allowedServicePortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"233a2a17-77ca-4fb1-9b6b-69223d272a44\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure services listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + service ports list","description":"The list of service ports allowed in a + Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml","values":{"allowedServicePorts":"[parameters(''allowedServicePortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44","type":"Microsoft.Authorization/policyDefinitions","name":"233a2a17-77ca-4fb1-9b6b-69223d272a44"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedServicePortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - service ports regex\",\"description\":\"Regex representing service ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ServiceAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedServicePortsRegex\":\"[parameters('allowedServicePortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25dee3db-6ce0-4c02-ab5d-245887b24077\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce HTTPS ingress in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed + service ports regex","description":"Regex representing service ports allowed + in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ServiceAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedServicePortsRegex":"[parameters(''allowedServicePortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077","type":"Microsoft.Authorization/policyDefinitions","name":"25dee3db-6ce0-4c02-ab5d-245887b24077"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce HTTPS ingress in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"HttpsIngressOnly\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce internal load balancers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\"},{\"properties\":{\"displayName\":\"[Preview]: + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes - cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedContainerPortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - container ports list\",\"description\":\"The list of container ports allowed - in a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml\",\"values\":{\"allowedContainerPorts\":\"[parameters('allowedContainerPortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"440b515e-a580-421e-abeb-b159a61ddcbc\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce labels on pods in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + container ports list","description":"The list of container ports allowed in + a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"labelsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"List - of labels\",\"description\":\"The list of labels to be specified on Pods in - a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml\",\"values\":{\"labels\":\"[parameters('labelsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46592696-4c7b-4bf3-9e45-6c2763bdc0a6\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure only allowed container images in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + of labels","description":"The list of labels to be specified on Pods in a + Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml","values":{"labels":"[parameters(''labelsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6","type":"Microsoft.Authorization/policyDefinitions","name":"46592696-4c7b-4bf3-9e45-6c2763bdc0a6"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container images regex\",\"description\":\"Regex representing container images + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images - is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedImages\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f86cb6e-c4da-441b-807c-44bd0cc14e66\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Do not allow privileged containers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedImages","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66","type":"Microsoft.Authorization/policyDefinitions","name":"5f86cb6e-c4da-441b-807c-44bd0cc14e66"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Do not allow privileged containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerNoPrivilege\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates issued by an integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: + Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedCAs\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed Azure Key Vault Supported CAs\",\"description\":\"The list of allowed - certificate authorities supported by Azure Key Vault.\"},\"allowedValues\":[\"DigiCert\",\"GlobalSign\"],\"defaultValue\":[\"DigiCert\",\"GlobalSign\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.name\",\"notIn\":\"[parameters('allowedCAs')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e826246-c976-48f6-b03e-619bb92b3d82\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Do not allow privileged containers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95edb821-ddaf-4404-9732-666045e056b4\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates issued by a non-integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: + Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"caCommonName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - The common name of the certificate authority\",\"description\":\"The common - name (CN) of the Certificate Authority (CA) provider. For example, for an - issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName\",\"notContains\":\"[parameters('caCommonName')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a22f4a40-01d3-4c7d-8071-da157eeff341\"},{\"properties\":{\"displayName\":\"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers - in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerResourceLimits\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2d3ed81-8d11-4079-80a5-1faadc0024f4\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce internal load balancers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"LoadBalancersInternal\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a74d8f00-2fd9-4ce4-968e-0ee1eb821698\"},{\"properties\":{\"displayName\":\"[Preview]: + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes - cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fd3e59-6390-4f2b-8247-ea676bd03e2d\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage allowed curve names for elliptic curve cryptography certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: + Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedECNames\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed elliptic curve names\",\"description\":\"The list of allowed curve - names for elliptic curve cryptography certificates.\"},\"allowedValues\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"],\"defaultValue\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"EC\",\"EC-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName\",\"notIn\":\"[parameters('allowedECNames')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd78111f-4953-4367-9fd5-7e08808b54bf\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage minimum key size for RSA certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the minimum key size for RSA certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"minimumRSAKeySize\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum RSA key size\",\"description\":\"The minimum key size for RSA certificates.\"},\"allowedValues\":[2048,3072,4096]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"RSA\",\"RSA-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize\",\"less\":\"[parameters('minimumRSAKeySize')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cee51871-e572-4576-855c-047c820360f0\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"UniqueIngressHostnames\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d011d9f7-ba32-4005-b727-b3d09371ca60\"},{\"properties\":{\"displayName\":\"[Preview]: + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed - the specified limits in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"cpuLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Max - allowed CPU units\",\"description\":\"The maximum CPU units allowed for a - container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"memoryLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Max - allowed memory bytes\",\"description\":\"The maximum memory bytes allowed - for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml\",\"values\":{\"cpuLimit\":\"[parameters('cpuLimit')]\",\"memoryLimit\":\"[parameters('memoryLimit')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345eecc-fa47-480f-9e88-67dcc122b164\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates that are within a specified number of days of expiration\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + allowed CPU units","description":"The maximum CPU units allowed for a container. + E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max + allowed memory bytes","description":"The maximum memory bytes allowed for + a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: + Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"daysToExpire\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - Days to expire\",\"description\":\"The number of days for a certificate to - expire.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn\",\"lessOrEquals\":\"[addDays(utcNow(), - parameters('daysToExpire'))]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f772fb64-8e40-40ad-87bc-7706e1949427\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Ensure only allowed container images in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container images regex\",\"description\":\"Regex representing container images + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images - is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml\",\"values\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"febd0533-8e55-448f-b837-bd0e06f16469\"},{\"properties\":{\"displayName\":\"Audit - virtual machines without disaster recovery configured\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"test\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:21:49.7174918Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c510c21-8404-40b2-a351-73e881e707dc\"},{\"properties\":{\"displayName\":\"zhoxing_test_new_policy_test_length_exceed_name\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"\u6D4B\u8BD5\u4E00\u4E0B\u540D\u5B57\u8D85\u957F\u7684\u7B56\u7565\u54E6\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:14:59.2983062Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8720f898-d316-4608-b43d-203ce23c2a8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8720f898-d316-4608-b43d-203ce23c2a8d\"},{\"properties\":{\"displayName\":\"test_policy6iqdav32l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:20:01.1577308Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy4zz266ek6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy4zz266ek6\"},{\"properties\":{\"displayName\":\"test_policybsix632z6\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T03:24:37.437303Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy57hfk7oid\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy57hfk7oid\"},{\"properties\":{\"displayName\":\"test_policy3ulbefgq5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy5rxcsbgyu\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy5rxcsbgyu\"},{\"properties\":{\"displayName\":\"test_policy66vwzao4g\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:12:26.4310804Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy63bzujayf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy63bzujayf\"},{\"properties\":{\"displayName\":\"test_policyvrud2j572\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6rmvrx2ug\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6rmvrx2ug\"},{\"properties\":{\"displayName\":\"test_policyqr33lcjpy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:02:21.3055647Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6vduv5kcq\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6vduv5kcq\"},{\"properties\":{\"displayName\":\"test_policyeezgnn3tf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy72fpbk6om\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy72fpbk6om\"},{\"properties\":{\"displayName\":\"test_policylzld56g3c\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy75lhjp2qz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy75lhjp2qz\"},{\"properties\":{\"displayName\":\"test_policyac3dg2mjn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:20:41.768722Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7nfzu5aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy7nfzu5aac\"},{\"properties\":{\"displayName\":\"test_policy4leaozaze\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyafjaspbln\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyafjaspbln\"},{\"properties\":{\"displayName\":\"test_policytz5xijuco\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed - locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyaip6dvuui\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyaip6dvuui\"},{\"properties\":{\"displayName\":\"test_policyk2ipvteje\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policycc24wg2ai\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policycc24wg2ai\"},{\"properties\":{\"displayName\":\"test_policy3fqevgg5o\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T07:30:30.8196821Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of locations that can be specified - when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyda63cvhit\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyda63cvhit\"},{\"properties\":{\"displayName\":\"test_policytxax3vq3l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:13:20.7569455Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyeal5hjxel\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyeal5hjxel\"},{\"properties\":{\"displayName\":\"test_policynek2j6dvx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyebyt2or2s\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyebyt2or2s\"},{\"properties\":{\"displayName\":\"test_policyo57mbgttt\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf4gvztvgz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyf4gvztvgz\"},{\"properties\":{\"displayName\":\"test_policyry7ktdqpn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfneqctrjx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfneqctrjx\"},{\"properties\":{\"displayName\":\"test_policyhproaqyb2\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T07:55:49.8973296Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfo7wr4vix\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfo7wr4vix\"},{\"properties\":{\"displayName\":\"test_policyfufe2htyd\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:17:08.3329915Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyftxdxfati\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyftxdxfati\"},{\"properties\":{\"displayName\":\"test_policypq5w4fcp5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhavmopeay\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhavmopeay\"},{\"properties\":{\"displayName\":\"test_policyzhxn622hb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhb6kmyq63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhb6kmyq63\"},{\"properties\":{\"displayName\":\"test_policyzbi2xb6y7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyismcbfzwf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyismcbfzwf\"},{\"properties\":{\"displayName\":\"test_policy000003_new\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\",\"createdBy\":\"f0f844e0-d2fe-4aa3-8e2c-2e429618f305\",\"createdOn\":\"2020-02-07T16:41:54.1524477Z\",\"updatedBy\":\"f0f844e0-d2fe-4aa3-8e2c-2e429618f305\",\"updatedOn\":\"2020-02-07T16:41:56.6285028Z\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations 2\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy000002\"},{\"properties\":{\"displayName\":\"test_policyyulsilxiw\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjp2hqpyxg\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyjp2hqpyxg\"},{\"properties\":{\"displayName\":\"test_policy3b7x23vtu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:09:59.3205891Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyk7i5cvli7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyk7i5cvli7\"},{\"properties\":{\"displayName\":\"test_policykr5rg52qb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-20T07:02:32.8430887Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyko7fuaryl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyko7fuaryl\"},{\"properties\":{\"displayName\":\"test_policym7v6bzkep\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyl5e3igsku\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyl5e3igsku\"},{\"properties\":{\"displayName\":\"test_policyr5ivz4uoy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policylw4dif6k4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policylw4dif6k4\"},{\"properties\":{\"displayName\":\"test_policytbp7jr4ui\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:32:31.9256236Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyma7xpif5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyma7xpif5f\"},{\"properties\":{\"displayName\":\"test_policyltbuxqxmj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:01:18.5679417Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymhawrsfdj\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymhawrsfdj\"},{\"properties\":{\"displayName\":\"test_policyp2yhkolhg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymxx4vzibo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymxx4vzibo\"},{\"properties\":{\"displayName\":\"test_policyt252aa3in\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyose3kehj3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyose3kehj3\"},{\"properties\":{\"displayName\":\"test_policyg5g7wrd63\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqcexugiyb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqcexugiyb\"},{\"properties\":{\"displayName\":\"test_policyrhqz2lkr7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:06:49.1738752Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqsscwoy4k\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqsscwoy4k\"},{\"properties\":{\"displayName\":\"test_policyfn5bvohrv\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-15T07:02:13.594025Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr45j67nyp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr45j67nyp\"},{\"properties\":{\"displayName\":\"test_policygciiyb5ye\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:07:22.3409618Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr7fhjcb3r\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr7fhjcb3r\"},{\"properties\":{\"displayName\":\"test_policy2k3hcktfx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:18:07.741136Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrnepsjpsa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrnepsjpsa\"},{\"properties\":{\"displayName\":\"test_policy5u5ook2zf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrs5zxfokx\"},{\"properties\":{\"displayName\":\"test_policyepxuvmnrs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrtseayuym\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrtseayuym\"},{\"properties\":{\"displayName\":\"test_policyeglfwi2os\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrzih7n7ws\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrzih7n7ws\"},{\"properties\":{\"displayName\":\"test_policyrjb7ausww\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-26T07:06:57.89264Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysh2ld2fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policysh2ld2fbf\"},{\"properties\":{\"displayName\":\"test_policyeop2lxcb7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytaxuus2zo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytaxuus2zo\"},{\"properties\":{\"displayName\":\"test_policyx5a3znshs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T09:10:23.421479Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of locations that can be specified - when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytl5ocnpv2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytl5ocnpv2\"},{\"properties\":{\"displayName\":\"test_policymichd2ukj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytrkoh7vio\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytrkoh7vio\"},{\"properties\":{\"displayName\":\"test_policymhqqjyizg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyunv6j3gfp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyunv6j3gfp\"},{\"properties\":{\"displayName\":\"test_policyf2qzg3ba4\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed - locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv3qavzpbx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv3qavzpbx\"},{\"properties\":{\"displayName\":\"test_policy5koxubsg5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv53qgvql6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv53qgvql6\"},{\"properties\":{\"displayName\":\"test_policycaxoe7agu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:14:31.5587491Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv6bc2zdey\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv6bc2zdey\"},{\"properties\":{\"displayName\":\"test_policy65zhk56oe\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:12:22.7078165Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvmph7iatk\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvmph7iatk\"},{\"properties\":{\"displayName\":\"test_policy7t2i6ysv7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvpb2ircbl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvpb2ircbl\"},{\"properties\":{\"displayName\":\"test_policyc2n4hwvff\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:21:23.3432499Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policywsslcs6dz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policywsslcs6dz\"},{\"properties\":{\"displayName\":\"test_policyn67yt2fld_new\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-06-11T06:51:10.2516Z\",\"updatedBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"updatedOn\":\"2019-06-11T06:51:13.9885473Z\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations 2\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyx5j3fsjzb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyx5j3fsjzb\"},{\"properties\":{\"displayName\":\"test_policy574uc23jc\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:14:59.7674009Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy7mglfglo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyy7mglfglo\"},{\"properties\":{\"displayName\":\"test_policyif4bjggk7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyuuoin4oc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyyuuoin4oc\"},{\"properties\":{\"displayName\":\"test_policyvy7eweevk\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-19T07:01:55.8648869Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyzyhzyddss\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyzyhzyddss\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"Deny - cool access tiering for storage\",\"metadata\":{\"createdBy\":\"89ed5be8-ff97-41b5-ab11-055e1e3cc34b\",\"createdOn\":\"2019-03-09T04:29:39.8836867Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"kind\",\"equals\":\"BlobStorage\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/accessTier\",\"equals\":\"cool\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"denyCoolTiering\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:35.9462109Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T05:58:36.2899714Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1d6a287496763bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1d6a287496763bd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.3616782Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T04:25:20.5689022Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1ff115351d7d620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1ff115351d7d620\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:36.5087248Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd226f944793a0edd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd226f944793a0edd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.9593945Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd248103959e1b89a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd248103959e1b89a\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:53:56.4821495Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn4b00229168b529\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn4b00229168b529\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:12:02.5562119Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn7d459478c62e5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn7d459478c62e5f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:16:25.1651266Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdndd5095457eae7f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdndd5095457eae7f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:21:56.3757672Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdnfc173081e3e1c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdnfc173081e3e1c6\"},{\"properties\":{\"displayName\":\"pol-defdis-2169\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:43:22.5629692Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-2601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-2601\"},{\"properties\":{\"displayName\":\"pol-dis-5258\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:57:59.3671014Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3066\"},{\"properties\":{\"displayName\":\"pol-defdis-1797\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:59:42.1212637Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3604\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3604\"},{\"properties\":{\"displayName\":\"pol-defdis-8885\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:51:26.6479837Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4703\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4703\"},{\"properties\":{\"displayName\":\"pol-defdis-5984\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:44:44.5908405Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4803\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4803\"},{\"properties\":{\"displayName\":\"pol-dis-2866\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:59:29.3473453Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-7444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-7444\"},{\"properties\":{\"displayName\":\"pol-defdis-3052\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:50:49.8743418Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-834\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-834\"},{\"properties\":{\"displayName\":\"pol-dis-6545\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:01:11.8439197Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-07T10:01:13.5984375Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-900\"},{\"properties\":{\"displayName\":\"pol-defdis-412\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:39:00.9481726Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-9447\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-9447\"},{\"properties\":{\"displayName\":\"Sumit- - NSG X on every subnet\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"This - policy enforces a specific NSG on every subnet\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-01-02T03:24:40.1850198Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts/write\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/sumit-enforce-nsg-on-subnett2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"sumit-enforce-nsg-on-subnett2\"}]}" + is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"Replace + tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"rohitbh: + Key vault access policy","policyType":"Custom","mode":"All","description":"definition + description","metadata":{"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:11:44.907552Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:08:39.7776262Z"},"parameters":{"userObjectId":{"type":"String","metadata":{"displayName":"User + Object ID","description":"The GUID for the user which should have access"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"field":"Microsoft.Keyvault/vaults/accessPolicies[*].objectId","notEquals":"[parameters(''userObjectId'')]"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.KeyVault/vaults","name":"current","deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"objectId":{"type":"string"},"keyVaultName":{"type":"string"},"secretsPermissions":{"type":"array","defaultValue":["list"]},"tenantId":{"type":"string"},"location":{"type":"string"},"sku":{"type":"object"},"existingAccessPolicies":{"type":"array","defaultValue":[]}},"variables":{"accessPolicies":[{"tenantId":"[parameters(''tenantId'')]","objectId":"[parameters(''objectId'')]","permissions":{"secrets":"[parameters(''secretsPermissions'')]"}}]},"resources":[{"type":"Microsoft.KeyVault/vaults","name":"[parameters(''keyVaultName'')]","location":"[parameters(''location'')]","apiVersion":"2018-02-14","properties":{"sku":"[parameters(''sku'')]","tenantId":"[parameters(''tenantId'')]","accessPolicies":"[concat(parameters(''existingAccessPolicies''), + variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"test_policyq6slq5sm7_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:51:06.1795637Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:51:08.2216691Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf3znzikbi","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyf3znzikbi"},{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated + Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-02T22:35:27.2634648Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-02T22:35:29.2696603Z"},"policyRule":{"if":{"source":"action","equals":"Microsoft.Resources/Subscriptions/ResourceGroups/write"},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7866","type":"Microsoft.Authorization/policyDefinitions","name":"ps7866"},{"properties":{"displayName":"robga + test modify","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-06T13:52:23.9266854Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-28T17:18:53.3118044Z"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"tags.testModify","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"tags.testModify","value":"addModifyOperation"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","type":"Microsoft.Authorization/policyDefinitions","name":"robgaTestModify"},{"properties":{"displayName":"Audit + tag at MG","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:29.3038974Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.Test","equals":"UnitTest"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","type":"Microsoft.Authorization/policyDefinitions","name":"03ae6c12-b46a-43f1-9f3d-c20620473106"},{"properties":{"displayName":"\"metadata\": + { \"category\": \"testResourcesGrid\" },","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T20:48:36.8149755Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.testResourcesGrid","equals":"testResourcesGrid"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/4bba2e95-2749-431f-95ff-d032a3ae57f6","type":"Microsoft.Authorization/policyDefinitions","name":"4bba2e95-2749-431f-95ff-d032a3ae57f6"},{"properties":{"displayName":"CaleC + - Technical Owner Email Tag on RG","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-13T21:16:37.0623117Z","updatedBy":null,"updatedOn":null},"parameters":{"namePattern":{"type":"String","metadata":{"displayName":"Pattern + matching","description":"Pattern to use for names. Can include wildcard (*)."}},"tagName":{"type":"String","metadata":{"displayName":"tagName","description":"Technical + Owner Email Address"},"defaultValue":"TechnicalOwnerEmail"}},"policyRule":{"if":{"allOf":[{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","like":"[parameters(''namePattern'')]"}},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/54d50b8c-c4c6-4552-9e50-19925aedcf44","type":"Microsoft.Authorization/policyDefinitions","name":"54d50b8c-c4c6-4552-9e50-19925aedcf44"},{"properties":{"displayName":"rohitbh + def","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-28T00:13:27.0393653Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/5b51a7de-acd9-42cd-81bd-32d9c01968e9","type":"Microsoft.Authorization/policyDefinitions","name":"5b51a7de-acd9-42cd-81bd-32d9c01968e9"},{"properties":{"displayName":"jilim + audit subscriptions without security contacts","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-07T20:59:59.7600143Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/Subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Security/securityContacts"}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/67d90168-f067-43df-bd57-bca4b46df3a0","type":"Microsoft.Authorization/policyDefinitions","name":"67d90168-f067-43df-bd57-bca4b46df3a0"},{"properties":{"displayName":"Empty + deployment on each KeyVault resource","policyType":"Custom","mode":"Indexed","description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"category":"SDK Tests","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:12.9974078Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/policyAssignments","name":"notExists","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[],"outputs":{"constantOutput":{"type":"string","value":"someConstantValue"}}}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","type":"Microsoft.Authorization/policyDefinitions","name":"78a38c70-5549-49bd-8a16-fe3619e5d2cf"},{"properties":{"displayName":"CaleC + - Ensure principal is member of role","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-08T01:55:56.4678953Z","updatedBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","updatedOn":"2019-11-13T21:19:54.5769298Z"},"parameters":{"roleDefinitionId":{"type":"String","metadata":{"displayName":"Approved + Role Definition","description":"The role definition id to add the principal + to."}},"principalId":{"type":"String","metadata":{"displayName":"Principal + Id","description":"Principal Id to add to roles"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"name","equals":"[parameters(''roleDefinitionId'')]"}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/roleAssignments","deploymentScope":"subscription","existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Authorization/roleAssignments/principalId","equals":"[parameters(''principalId'')]"},{"field":"Microsoft.Authorization/roleAssignments/roleDefinitionId","equals":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleDefinitionId''))]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"roleId":{"value":"[parameters(''roleDefinitionId'')]"},"principalId":{"value":"[parameters(''principalId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"principalId":{"type":"string"},"roleId":{"type":"string"}},"resources":[{"name":"[guid(subscription().id, + parameters(''roleId''), parameters(''principalId''))]","type":"Microsoft.Authorization/roleAssignments","apiVersion":"2019-04-01-preview","properties":{"principalId":"[parameters(''principalId'')]","roleDefinitionId":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleId''))]"}}]}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/906ef7c2-27f9-48f4-b111-1f0aca8697cd","type":"Microsoft.Authorization/policyDefinitions","name":"906ef7c2-27f9-48f4-b111-1f0aca8697cd"},{"properties":{"displayName":"jilim + mg test 2","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:34:15.5651057Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilim + mg test 2","type":"Microsoft.Authorization/policyDefinitions","name":"jilim + mg test 2"},{"properties":{"displayName":"jilim mg test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:00:41.0087033Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilimmgtest","type":"Microsoft.Authorization/policyDefinitions","name":"jilimmgtest"}]}' headers: cache-control: - no-cache content-length: - - '1828205' + - '1788425' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:57 GMT + - Tue, 11 Feb 2020 19:53:45 GMT expires: - '-1' pragma: @@ -7288,7 +7145,7 @@ interactions: ParameterSetName: - -n User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7296,7 +7153,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:56.6285028Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: cache-control: @@ -7306,7 +7163,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:00 GMT + - Tue, 11 Feb 2020 19:53:46 GMT expires: - '-1' pragma: @@ -7336,7 +7193,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g --params User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7344,7 +7201,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:56.6285028Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: cache-control: @@ -7354,7 +7211,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:01 GMT + - Tue, 11 Feb 2020 19:53:48 GMT expires: - '-1' pragma: @@ -7392,7 +7249,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g --params User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7400,7 +7257,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:02.6701753Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:49.0799687Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' headers: cache-control: - no-cache @@ -7409,7 +7266,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:02 GMT + - Tue, 11 Feb 2020 19:53:49 GMT expires: - '-1' pragma: @@ -7419,7 +7276,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1189' + - '1199' status: code: 201 message: Created @@ -7437,7 +7294,7 @@ interactions: ParameterSetName: - -g -n --subnet-name User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7445,7 +7302,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_policy000001?api-version=2019-07-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","name":"cli_test_policy000001","type":"Microsoft.Resources/resourceGroups","location":"westus","tags":{"product":"azurecli","cause":"automation","date":"2020-02-07T16:41:52Z"},"properties":{"provisioningState":"Succeeded"}}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","name":"cli_test_policy000001","type":"Microsoft.Resources/resourceGroups","location":"westus","tags":{"product":"azurecli","cause":"automation","date":"2020-02-11T19:53:40Z"},"properties":{"provisioningState":"Succeeded"}}' headers: cache-control: - no-cache @@ -7454,7 +7311,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:04 GMT + - Tue, 11 Feb 2020 19:53:49 GMT expires: - '-1' pragma: @@ -7488,7 +7345,7 @@ interactions: ParameterSetName: - -g -n --subnet-name User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7498,15 +7355,15 @@ interactions: body: string: "{\r\n \"name\": \"azurecli-test-policy-vnet000006\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet000006\",\r\n - \ \"etag\": \"W/\\\"7d68ef98-d270-4493-9e75-498099724d2c\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"a21b5120-d3d2-4822-8ca9-b57f43c6e61f\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"westus\",\r\n \ \"tags\": {},\r\n \"properties\": {\r\n \"provisioningState\": \"Updating\",\r\n - \ \"resourceGuid\": \"086daa60-06e4-4840-8945-c0624786e0ab\",\r\n \"addressSpace\": + \ \"resourceGuid\": \"2d46e74a-ef33-48ab-9964-7f34805118ed\",\r\n \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n ]\r\n \ },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n },\r\n \ \"subnets\": [\r\n {\r\n \"name\": \"azurecli-test-policy-subnet000007\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet000006/subnets/azurecli-test-policy-subnet000007\",\r\n - \ \"etag\": \"W/\\\"7d68ef98-d270-4493-9e75-498099724d2c\\\"\",\r\n + \ \"etag\": \"W/\\\"a21b5120-d3d2-4822-8ca9-b57f43c6e61f\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Updating\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -7515,7 +7372,7 @@ interactions: false,\r\n \"enableVmProtection\": false\r\n }\r\n}" headers: azure-asyncoperation: - - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/7ce60bba-32b4-437e-82b3-e0044b41e6c4?api-version=2019-11-01 + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/817d1294-4c38-45c1-9449-f8f259d99faf?api-version=2019-11-01 cache-control: - no-cache content-length: @@ -7523,7 +7380,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:06 GMT + - Tue, 11 Feb 2020 19:53:50 GMT expires: - '-1' pragma: @@ -7536,9 +7393,9 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - baf353af-401b-48e6-9f05-4a0a8954729e + - 07c00162-2d86-49e2-921a-620f69f06f84 x-ms-ratelimit-remaining-subscription-writes: - - '1192' + - '1199' status: code: 201 message: Created @@ -7556,110 +7413,10 @@ interactions: ParameterSetName: - -g -n --subnet-name User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/7ce60bba-32b4-437e-82b3-e0044b41e6c4?api-version=2019-11-01 - response: - body: - string: "{\r\n \"status\": \"InProgress\"\r\n}" - headers: - cache-control: - - no-cache - content-length: - - '30' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 07 Feb 2020 16:42:09 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Microsoft-HTTPAPI/2.0 - - Microsoft-HTTPAPI/2.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-arm-service-request-id: - - 149fcb3a-088b-4eeb-add8-db59636265ad - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - network vnet create - Connection: - - keep-alive - ParameterSetName: - - -g -n --subnet-name - User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/7ce60bba-32b4-437e-82b3-e0044b41e6c4?api-version=2019-11-01 - response: - body: - string: "{\r\n \"status\": \"InProgress\"\r\n}" - headers: - cache-control: - - no-cache - content-length: - - '30' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 07 Feb 2020 16:42:20 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Microsoft-HTTPAPI/2.0 - - Microsoft-HTTPAPI/2.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-arm-service-request-id: - - 5daaec4f-0f2d-4332-9672-0651a5b8706a - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - network vnet create - Connection: - - keep-alive - ParameterSetName: - - -g -n --subnet-name - User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/7ce60bba-32b4-437e-82b3-e0044b41e6c4?api-version=2019-11-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/westus/operations/817d1294-4c38-45c1-9449-f8f259d99faf?api-version=2019-11-01 response: body: string: "{\r\n \"status\": \"Succeeded\"\r\n}" @@ -7671,7 +7428,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:30 GMT + - Tue, 11 Feb 2020 19:53:53 GMT expires: - '-1' pragma: @@ -7688,7 +7445,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - b67d66c4-659f-4a10-95c6-e7f448b019a1 + - 3548978f-988c-44c8-a7c5-bc23123c26d5 status: code: 200 message: OK @@ -7706,7 +7463,7 @@ interactions: ParameterSetName: - -g -n --subnet-name User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet000006?api-version=2019-11-01 @@ -7714,15 +7471,15 @@ interactions: body: string: "{\r\n \"name\": \"azurecli-test-policy-vnet000006\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet000006\",\r\n - \ \"etag\": \"W/\\\"6294ec49-bf93-4565-99f7-d5f91b505d27\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"b5cb76c2-4b67-4f5b-bdf0-1e4bf4f58ec7\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"westus\",\r\n \ \"tags\": {},\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"resourceGuid\": \"086daa60-06e4-4840-8945-c0624786e0ab\",\r\n \"addressSpace\": + \ \"resourceGuid\": \"2d46e74a-ef33-48ab-9964-7f34805118ed\",\r\n \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n ]\r\n \ },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n },\r\n \ \"subnets\": [\r\n {\r\n \"name\": \"azurecli-test-policy-subnet000007\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet000006/subnets/azurecli-test-policy-subnet000007\",\r\n - \ \"etag\": \"W/\\\"6294ec49-bf93-4565-99f7-d5f91b505d27\\\"\",\r\n + \ \"etag\": \"W/\\\"b5cb76c2-4b67-4f5b-bdf0-1e4bf4f58ec7\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -7737,9 +7494,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:31 GMT + - Tue, 11 Feb 2020 19:53:53 GMT etag: - - W/"6294ec49-bf93-4565-99f7-d5f91b505d27" + - W/"b5cb76c2-4b67-4f5b-bdf0-1e4bf4f58ec7" expires: - '-1' pragma: @@ -7756,7 +7513,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - a960834b-b3fd-42cf-aa21-ad6febb8c725 + - dbb95ae3-fec7-4966-97ff-f34cf37f328b status: code: 200 message: OK @@ -7774,7 +7531,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g --not-scopes --params --sku User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7782,7 +7539,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:56.6285028Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: cache-control: @@ -7792,7 +7549,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:31 GMT + - Tue, 11 Feb 2020 19:53:54 GMT expires: - '-1' pragma: @@ -7831,7 +7588,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g --not-scopes --params --sku User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7839,7 +7596,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:02.6701753Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:42:32.7300762Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' + string: '{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:49.0799687Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:55.2048381Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' headers: cache-control: - no-cache @@ -7848,7 +7605,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:32 GMT + - Tue, 11 Feb 2020 19:53:54 GMT expires: - '-1' pragma: @@ -7858,7 +7615,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1189' + - '1199' status: code: 201 message: Created @@ -7876,7 +7633,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7894,7 +7651,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:33 GMT + - Tue, 11 Feb 2020 19:53:55 GMT expires: - '-1' pragma: @@ -7920,7 +7677,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7938,7 +7695,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:33 GMT + - Tue, 11 Feb 2020 19:53:55 GMT expires: - '-1' pragma: @@ -7975,7 +7732,7 @@ interactions: ParameterSetName: - --policy -n --display-name -g User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -7983,7 +7740,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:34.3732075Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment2000008"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:56.4388365Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment2000008"}' headers: cache-control: - no-cache @@ -7992,7 +7749,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:34 GMT + - Tue, 11 Feb 2020 19:53:56 GMT expires: - '-1' pragma: @@ -8002,7 +7759,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1192' + - '1199' status: code: 201 message: Created @@ -8022,7 +7779,7 @@ interactions: ParameterSetName: - -n -g User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8030,7 +7787,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:34.3732075Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment2000008"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:56.4388365Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment2000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment2000008"}' headers: cache-control: - no-cache @@ -8039,7 +7796,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:35 GMT + - Tue, 11 Feb 2020 19:53:56 GMT expires: - '-1' pragma: @@ -8053,7 +7810,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-deletes: - - '14996' + - '14999' status: code: 200 message: OK @@ -8069,7 +7826,7 @@ interactions: Connection: - keep-alive User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8077,29 +7834,38 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 response: body: - string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configured","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["uaenorth","australiaeast","australiacentral2","germanynorth","koreasouth","koreacentral","canadaeast","canadacentral","eastus2","japaneast","switzerlandnorth","southindia"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T03:22:55.9782042Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/7902e454187e44d483bdb36e","type":"Microsoft.Authorization/policyAssignments","name":"7902e454187e44d483bdb36e"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"asdadssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiacentral2","australiasoutheast","canadacentral","centralus","eastus","francecentral","francesouth"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:19:44.7812804Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8395d67bfbf84a77a0b0f13c","type":"Microsoft.Authorization/policyAssignments","name":"8395d67bfbf84a77a0b0f13c"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configuredtetertre","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiaeast","australiacentral","northeurope","germanywestcentral","francesouth","francecentral","koreacentral"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T07:07:04.8796207Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/a63ac8b170304e209b2298f9","type":"Microsoft.Authorization/policyAssignments","name":"a63ac8b170304e209b2298f9"},{"sku":{"name":"A0","tier":"Free"},"properties":{"policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast"]}},"metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:09:28.8320308Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-25T10:02:57.4496088Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/Audit - virtual machines without disaster recovery configured","type":"Microsoft.Authorization/policyAssignments","name":"Audit - virtual machines without disaster recovery configured"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - DataProtection (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center","createdBy":"2f8a138f-0955-44e1-9124-c386dfaecad4","createdOn":"2019-11-25T02:19:57.9086573Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/DataProtectionSecurityCenter","type":"Microsoft.Authorization/policyAssignments","name":"DataProtectionSecurityCenter"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - Default (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"diagnosticsLogsInServiceFabricMonitoringEffect":{"value":"AuditIfNotExists"},"systemUpdatesMonitoringEffect":{"value":"AuditIfNotExists"},"systemConfigurationsMonitoringEffect":{"value":"AuditIfNotExists"},"endpointProtectionMonitoringEffect":{"value":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"value":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"value":"AuditIfNotExists"},"sqlEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"value":"Audit"},"jitNetworkAccessMonitoringEffect":{"value":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateLessThanOwnersMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateMoreThanOneOwnerMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"secureTransferToStorageAccountMonitoringEffect":{"value":"Audit"},"aadAuthenticationInSqlServerMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInRedisCacheMonitoringEffect":{"value":"Audit"},"clusterProtectionLevelInServiceFabricMonitoringEffect":{"value":"Audit"},"aadAuthenticationInServiceFabricMonitoringEffect":{"value":"Audit"},"diagnosticsLogsInServiceBusMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeStoreMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInEventHubMonitoringEffect":{"value":"AuditIfNotExists"},"metricAlertsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"value":"Audit"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"value":"Audit"},"classicComputeVMsMonitoringEffect":{"value":"Audit"},"classicStorageAccountsMonitoringEffect":{"value":"Audit"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInKeyVaultMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInStreamAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"value":"AuditIfNotExists"}},"description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn","type":"Microsoft.Authorization/policyAssignments","name":"SecurityCenterBuiltIn"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:02.6701753Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:42:32.7300762Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}]}' + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test + Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + msi test","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-07T21:29:11.0201724Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"identity":{"principalId":"0576317a-a1c9-4008-8d7f-ce37e8683a15","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/64e6ce4eb2c346f9a84a27ee","type":"Microsoft.Authorization/policyAssignments","name":"64e6ce4eb2c346f9a84a27ee","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support + audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This + initiative includes audit and VM Extension deployment policies that address + a subset of NIST SP 800-53 R4 controls. Additional policies will be added + in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:49.0799687Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:55.2048381Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit + tag at MG","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000"],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:48.2629834Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-10-01T17:50:28.4254014Z"},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/ef26e8bbc3da423ebf7fcb80","type":"Microsoft.Authorization/policyAssignments","name":"ef26e8bbc3da423ebf7fcb80"}]}' headers: cache-control: - no-cache content-length: - - '10224' + - '11648' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:36 GMT + - Tue, 11 Feb 2020 19:53:57 GMT expires: - '-1' pragma: @@ -8129,7 +7895,7 @@ interactions: ParameterSetName: - --disable-scope-strict-match User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8137,29 +7903,38 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 response: body: - string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configured","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["uaenorth","australiaeast","australiacentral2","germanynorth","koreasouth","koreacentral","canadaeast","canadacentral","eastus2","japaneast","switzerlandnorth","southindia"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T03:22:55.9782042Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/7902e454187e44d483bdb36e","type":"Microsoft.Authorization/policyAssignments","name":"7902e454187e44d483bdb36e"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"asdadssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiacentral2","australiasoutheast","canadacentral","centralus","eastus","francecentral","francesouth"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:19:44.7812804Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8395d67bfbf84a77a0b0f13c","type":"Microsoft.Authorization/policyAssignments","name":"8395d67bfbf84a77a0b0f13c"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configuredtetertre","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiaeast","australiacentral","northeurope","germanywestcentral","francesouth","francecentral","koreacentral"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T07:07:04.8796207Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/a63ac8b170304e209b2298f9","type":"Microsoft.Authorization/policyAssignments","name":"a63ac8b170304e209b2298f9"},{"sku":{"name":"A0","tier":"Free"},"properties":{"policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast"]}},"metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:09:28.8320308Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-25T10:02:57.4496088Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/Audit - virtual machines without disaster recovery configured","type":"Microsoft.Authorization/policyAssignments","name":"Audit - virtual machines without disaster recovery configured"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - DataProtection (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center","createdBy":"2f8a138f-0955-44e1-9124-c386dfaecad4","createdOn":"2019-11-25T02:19:57.9086573Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/DataProtectionSecurityCenter","type":"Microsoft.Authorization/policyAssignments","name":"DataProtectionSecurityCenter"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - Default (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"diagnosticsLogsInServiceFabricMonitoringEffect":{"value":"AuditIfNotExists"},"systemUpdatesMonitoringEffect":{"value":"AuditIfNotExists"},"systemConfigurationsMonitoringEffect":{"value":"AuditIfNotExists"},"endpointProtectionMonitoringEffect":{"value":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"value":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"value":"AuditIfNotExists"},"sqlEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"value":"Audit"},"jitNetworkAccessMonitoringEffect":{"value":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateLessThanOwnersMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateMoreThanOneOwnerMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"secureTransferToStorageAccountMonitoringEffect":{"value":"Audit"},"aadAuthenticationInSqlServerMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInRedisCacheMonitoringEffect":{"value":"Audit"},"clusterProtectionLevelInServiceFabricMonitoringEffect":{"value":"Audit"},"aadAuthenticationInServiceFabricMonitoringEffect":{"value":"Audit"},"diagnosticsLogsInServiceBusMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeStoreMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInEventHubMonitoringEffect":{"value":"AuditIfNotExists"},"metricAlertsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"value":"Audit"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"value":"Audit"},"classicComputeVMsMonitoringEffect":{"value":"Audit"},"classicStorageAccountsMonitoringEffect":{"value":"Audit"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInKeyVaultMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInStreamAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"value":"AuditIfNotExists"}},"description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn","type":"Microsoft.Authorization/policyAssignments","name":"SecurityCenterBuiltIn"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:02.6701753Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:42:32.7300762Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}]}' + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test + Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + msi test","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-07T21:29:11.0201724Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"identity":{"principalId":"0576317a-a1c9-4008-8d7f-ce37e8683a15","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/64e6ce4eb2c346f9a84a27ee","type":"Microsoft.Authorization/policyAssignments","name":"64e6ce4eb2c346f9a84a27ee","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support + audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This + initiative includes audit and VM Extension deployment policies that address + a subset of NIST SP 800-53 R4 controls. Additional policies will be added + in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:49.0799687Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:55.2048381Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit + tag at MG","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000"],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:48.2629834Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-10-01T17:50:28.4254014Z"},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/ef26e8bbc3da423ebf7fcb80","type":"Microsoft.Authorization/policyAssignments","name":"ef26e8bbc3da423ebf7fcb80"}]}' headers: cache-control: - no-cache content-length: - - '10224' + - '11648' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:36 GMT + - Tue, 11 Feb 2020 19:53:57 GMT expires: - '-1' pragma: @@ -8191,7 +7966,7 @@ interactions: ParameterSetName: - -n -g User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8199,7 +7974,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:42:02.6701753Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:42:32.7300762Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' + string: '{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Network/virtualNetworks"],"parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:49.0799687Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:55.2048381Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policy000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000004","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000004"}' headers: cache-control: - no-cache @@ -8208,7 +7983,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:38 GMT + - Tue, 11 Feb 2020 19:53:58 GMT expires: - '-1' pragma: @@ -8222,7 +7997,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-deletes: - - '14995' + - '14999' status: code: 200 message: OK @@ -8240,7 +8015,7 @@ interactions: ParameterSetName: - --disable-scope-strict-match User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8248,29 +8023,38 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 response: body: - string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configured","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["uaenorth","australiaeast","australiacentral2","germanynorth","koreasouth","koreacentral","canadaeast","canadacentral","eastus2","japaneast","switzerlandnorth","southindia"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T03:22:55.9782042Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/7902e454187e44d483bdb36e","type":"Microsoft.Authorization/policyAssignments","name":"7902e454187e44d483bdb36e"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"asdadssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiacentral2","australiasoutheast","canadacentral","centralus","eastus","francecentral","francesouth"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:19:44.7812804Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8395d67bfbf84a77a0b0f13c","type":"Microsoft.Authorization/policyAssignments","name":"8395d67bfbf84a77a0b0f13c"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - virtual machines without disaster recovery configuredtetertre","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiaeast","australiacentral","northeurope","germanywestcentral","francesouth","francecentral","koreacentral"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com - ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T07:07:04.8796207Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/a63ac8b170304e209b2298f9","type":"Microsoft.Authorization/policyAssignments","name":"a63ac8b170304e209b2298f9"},{"sku":{"name":"A0","tier":"Free"},"properties":{"policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast"]}},"metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:09:28.8320308Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-25T10:02:57.4496088Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/Audit - virtual machines without disaster recovery configured","type":"Microsoft.Authorization/policyAssignments","name":"Audit - virtual machines without disaster recovery configured"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - DataProtection (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center","createdBy":"2f8a138f-0955-44e1-9124-c386dfaecad4","createdOn":"2019-11-25T02:19:57.9086573Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/DataProtectionSecurityCenter","type":"Microsoft.Authorization/policyAssignments","name":"DataProtectionSecurityCenter"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - Default (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"diagnosticsLogsInServiceFabricMonitoringEffect":{"value":"AuditIfNotExists"},"systemUpdatesMonitoringEffect":{"value":"AuditIfNotExists"},"systemConfigurationsMonitoringEffect":{"value":"AuditIfNotExists"},"endpointProtectionMonitoringEffect":{"value":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"value":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"value":"AuditIfNotExists"},"sqlEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"value":"Audit"},"jitNetworkAccessMonitoringEffect":{"value":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateLessThanOwnersMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateMoreThanOneOwnerMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"secureTransferToStorageAccountMonitoringEffect":{"value":"Audit"},"aadAuthenticationInSqlServerMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInRedisCacheMonitoringEffect":{"value":"Audit"},"clusterProtectionLevelInServiceFabricMonitoringEffect":{"value":"Audit"},"aadAuthenticationInServiceFabricMonitoringEffect":{"value":"Audit"},"diagnosticsLogsInServiceBusMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeStoreMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInEventHubMonitoringEffect":{"value":"AuditIfNotExists"},"metricAlertsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"value":"Audit"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"value":"Audit"},"classicComputeVMsMonitoringEffect":{"value":"Audit"},"classicStorageAccountsMonitoringEffect":{"value":"Audit"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInKeyVaultMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInStreamAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"value":"AuditIfNotExists"}},"description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn","type":"Microsoft.Authorization/policyAssignments","name":"SecurityCenterBuiltIn"}]}' + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test + Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + msi test","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-07T21:29:11.0201724Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"identity":{"principalId":"0576317a-a1c9-4008-8d7f-ce37e8683a15","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/64e6ce4eb2c346f9a84a27ee","type":"Microsoft.Authorization/policyAssignments","name":"64e6ce4eb2c346f9a84a27ee","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support + audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This + initiative includes audit and VM Extension deployment policies that address + a subset of NIST SP 800-53 R4 controls. Additional policies will be added + in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit + tag at MG","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000"],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:48.2629834Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-10-01T17:50:28.4254014Z"},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/ef26e8bbc3da423ebf7fcb80","type":"Microsoft.Authorization/policyAssignments","name":"ef26e8bbc3da423ebf7fcb80"}]}' headers: cache-control: - no-cache content-length: - - '8953' + - '10377' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:39 GMT + - Tue, 11 Feb 2020 19:53:58 GMT expires: - '-1' pragma: @@ -8302,7 +8086,7 @@ interactions: ParameterSetName: - -n User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8310,7 +8094,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","createdOn":"2020-02-07T16:41:54.1524477Z","updatedBy":"f0f844e0-d2fe-4aa3-8e2c-2e429618f305","updatedOn":"2020-02-07T16:41:56.6285028Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:53:42.2094347Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:53:44.0809034Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: cache-control: @@ -8320,7 +8104,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:41 GMT + - Tue, 11 Feb 2020 19:53:59 GMT expires: - '-1' pragma: @@ -8350,7 +8134,7 @@ interactions: Connection: - keep-alive User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -8358,6981 +8142,6838 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-09-01 response: body: - string: "{\"value\":[{\"properties\":{\"displayName\":\"Microsoft Managed Control - 1599 - Developer Configuration Management | Software / Firmware Integrity - Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0004bbf0-5099-4179-869e-e9ffe5fb0945\"},{\"properties\":{\"displayName\":\"Audit - virtual machines without disaster recovery configured\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 + - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit + virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Resources/links\",\"existenceCondition\":{\"field\":\"name\",\"like\":\"ASR-Protect-*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"001802d1-4969-4c82-a700-c29c6c6f9bbd\"},{\"properties\":{\"displayName\":\"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For - Availability Of Information / Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"00379355-8932-4b52-b63a-3bc6daf3451a\"},{\"properties\":{\"displayName\":\"Microsoft + Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static - Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0062eb8b-dc75-4718-8ea5-9bb4a9606655\"},{\"properties\":{\"displayName\":\"Azure - Backup should be enabled for Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data - recovery and is easier to enable than other cloud backup services.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"backup\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"013e242c-8828-4970-87b3-ab247555486d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1142 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01524fa8-4555-48ce-ba5f-c3b8dcef5147\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1099 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01910bab-8639-4bd0-84ef-cc53b24d79ba\"},{\"properties\":{\"displayName\":\"Microsoft + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft + Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft + Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01f7726b-db54-45c2-bcb5-9bd7a43796ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1709 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"025992d6-7fee-4137-9bbf-2ffc39c0686c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1052 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"027cae1c-ec3e-4492-9036-4168d540c42a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1034 - Least Privilege\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a5ed00-6d2e-4e97-9a98-46c32c057329\"},{\"properties\":{\"displayName\":\"[Preview]: + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft + Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft + Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status - does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a84be7-c304-421f-9bb7-5d2c26af54ad\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1623 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02ce1b22-412a-4528-8630-c42146f917ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1515 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02dd141a-a2b2-49a7-bcbd-ca31142f6211\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1327 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03188d8f-1ae5-4fe1-974d-2d7d32ef937d\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft + Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft + Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate - Accounting Of Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03752212-103c-4ab8-a306-7e813022ca9d\"},{\"properties\":{\"displayName\":\"Microsoft + Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level - Adjustment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03996055-37a4-45a5-8b70-3f1caa45f87d\"},{\"properties\":{\"displayName\":\"Microsoft + Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - - Minimal Operational Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ad326e-d7a1-44b1-9a76-e17492efc9e4\"},{\"properties\":{\"displayName\":\"Microsoft + - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated - Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03b78f5e-4877-4303-b0f4-eb6583f25768\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1361 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ed3be1-7276-4452-9a5d-e4168565ac67\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1594 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"042ba2a1-8bb8-45f4-b080-c78cf62b90e9\"},{\"properties\":{\"displayName\":\"SQL - managed instance TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft + Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft + Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL + managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"048248b0-55cd-46da-b1ff-39efd52db260\"},{\"properties\":{\"displayName\":\"[Preview]: + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable Dependency Agent for Linux VMs - monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04c4380f-3fae-46e8-96c9-30193528f602\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Service Bus to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04d53d87-841c-4f23-8a5b-21564380b55e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1572 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft + Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"053d3325-282c-4e5c-b944-24faffd30d77\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1331 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05460fe2-301f-4ed1-8174-d62c8bb92ff4\"},{\"properties\":{\"displayName\":\"Vulnerability + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft + Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive - scan reports\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send scan reports to' field in + scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Azure Data Lake Store should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic + logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057ef27e-665e-4328-8ea3-04b3122bd9fb\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate - Physical Systems / Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1223 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1640 - Transmission Confidentiality And Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a289ce-6a20-4b75-a0f3-dc8601b6acd0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1420 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05ae08cc-a282-413b-90c7-21a2c60b8404\"},{\"properties\":{\"displayName\":\"Microsoft + Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft + Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft + Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft + Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive - Or Caching Resolver)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063b540e-4bdc-4e7a-a569-3a42ddf22098\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1688 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063c3f09-e0f0-4587-8fd5-f4276fae675f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1332 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068260be-a5e6-4b0a-a430-cd27071c226a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1455 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068a88d4-e520-434e-baf0-9005a8164e6a\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit SQL DB Level Audit Setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - DB level audit setting for SQL databases\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Audit Setting\"},\"allowedValues\":[\"enabled\",\"disabled\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Audit - VMs that do not use managed disks\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits VMs that do not use managed disks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/osDisk.uri\",\"exists\":\"True\"}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/VirtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers\",\"exists\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl\",\"exists\":\"True\"}]}]}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a4d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1366 - Incident Handling | Information Correlation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06c45c30-ae44-4f0f-82be-41331da911cc\"},{\"properties\":{\"displayName\":\"Microsoft + Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft + Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft + Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft + Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: + Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated - Proxy Servers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"07557aa0-e02f-4460-9a81-8ecd2fed601a\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS + should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0820b7b9-23aa-4725-a1ce-ae4558f718e5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0868462e-646c-4fe3-9ced-a733534b6a2c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1583 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0882d488-8e80-4466-bc0f-0cd15b6cb66d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft + Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08b17839-76c6-4015-90e0-33d9d54d219c\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Search Services to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08ba64b8-738f-4918-9686-730d2ed79c7d\"},{\"properties\":{\"displayName\":\"Adaptive + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive Network Hardening recommendations should be applied on internet facing virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"adaptiveNetworkHardenings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08e6af2d-db70-460a-bfe9-d5bd474ba9d6\"},{\"properties\":{\"displayName\":\"There - should be more than one owner assigned to your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There + should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateMoreThanOneOwner\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09024ccc-0c5f-475e-9457-b7c0d9ed487b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1159 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0925f098-7877-450b-8ba4-d1e55f2d8795\"},{\"properties\":{\"displayName\":\"Disk - encryption should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"VMs + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft + Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk + encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0961003e-5a0a-4549-abde-af6a37f2724d\"},{\"properties\":{\"displayName\":\"Microsoft + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network - Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09828c65-e323-422b-9774-9d5c646124da\"},{\"properties\":{\"displayName\":\"Configure - backup on VMs of a location to an existing central Vault in the same location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure + backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Backup\"},\"parameters\":{\"vaultLocation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Location - (Specify the location of the VMs that you want to protect)\",\"description\":\"Specify + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up - to a vault in the same location.\\nFor example - southeastasia\",\"strongType\":\"location\"}},\"backupPolicyId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Backup - Policy (of type Azure VM from a vault in the location chosen above)\",\"description\":\"Specify + to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup + Policy (of type Azure VM from a vault in the location chosen above)","description":"Specify the id of the Azure backup policy to configure backup of the virtual machines. The selected Azure backup policy should be of type Azure virtual machine. This policy needs to be in a vault that is present in the location chosen - above.\\nFor example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/\",\"strongType\":\"Microsoft.RecoveryServices/vaults/backupPolicies\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"deployIfNotExists\",\"auditIfNotExists\",\"disabled\"],\"defaultValue\":\"deployIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"location\",\"equals\":\"[parameters('vaultLocation')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\",\"/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b\"],\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[concat('DeployProtection-',uniqueString(parameters('protectedItems')))]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[first(skip(split(parameters('backupPolicyId'), - '/'), 4))]\",\"subscriptionId\":\"[first(skip(split(parameters('backupPolicyId'), - '/'), 2))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"type\":\"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems\",\"name\":\"[concat(first(skip(split(parameters('backupPolicyId'), - '/'), 8)), '/', parameters('fabricName'), '/',parameters('protectionContainers'), - '/', parameters('protectedItems'))]\",\"apiVersion\":\"2016-06-01\",\"properties\":{\"protectedItemType\":\"Microsoft.Compute/virtualMachines\",\"policyId\":\"[parameters('backupPolicyId')]\",\"sourceResourceId\":\"[parameters('sourceResourceId')]\"}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"[parameters('fabricName')]\"},\"protectionContainers\":{\"value\":\"[parameters('protectionContainers')]\"},\"protectedItems\":{\"value\":\"[parameters('protectedItems')]\"},\"sourceResourceId\":{\"value\":\"[parameters('sourceResourceId')]\"}}}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"Azure\"},\"protectionContainers\":{\"value\":\"[concat('iaasvmcontainer;iaasvmcontainerv2;', - resourceGroup().name, ';' ,field('name'))]\"},\"protectedItems\":{\"value\":\"[concat('vm;iaasvmcontainerv2;', - resourceGroup().name, ';' ,field('name'))]\"},\"sourceResourceId\":{\"value\":\"[concat('/subscriptions/', - subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09ce66bc-1220-4153-8104-e3f51c936913\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1654 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a2ee16e-ab1f-414a-800b-d1608835862b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a560d32-8075-4fec-9615-9f7c853f4ea9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1428 - Media Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a77fcc7-b8d8-451a-ab52-56197913c0c7\"},{\"properties\":{\"displayName\":\"Audit - resource location matches resource group location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that the resource location matches its resource group location\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"policyRule\":{\"if\":{\"field\":\"location\",\"notIn\":[\"[resourcegroup().location]\",\"global\"]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a914e76-4921-4c19-b460-a2d36003525a\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + above.\nFor example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/","strongType":"Microsoft.RecoveryServices/vaults/backupPolicies"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["deployIfNotExists","auditIfNotExists","disabled"],"defaultValue":"deployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"location","equals":"[parameters(''vaultLocation'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c","/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"type":"Microsoft.RecoveryServices/backupprotecteditems","deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"String"},"fabricName":{"type":"String"},"protectionContainers":{"type":"String"},"protectedItems":{"type":"String"},"sourceResourceId":{"type":"String"}},"resources":[{"apiVersion":"2017-05-10","name":"[concat(''DeployProtection-'',uniqueString(parameters(''protectedItems'')))]","type":"Microsoft.Resources/deployments","resourceGroup":"[first(skip(split(parameters(''backupPolicyId''), + ''/''), 4))]","subscriptionId":"[first(skip(split(parameters(''backupPolicyId''), + ''/''), 2))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"String"},"fabricName":{"type":"String"},"protectionContainers":{"type":"String"},"protectedItems":{"type":"String"},"sourceResourceId":{"type":"String"}},"resources":[{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","name":"[concat(first(skip(split(parameters(''backupPolicyId''), + ''/''), 8)), ''/'', parameters(''fabricName''), ''/'',parameters(''protectionContainers''), + ''/'', parameters(''protectedItems''))]","apiVersion":"2016-06-01","properties":{"protectedItemType":"Microsoft.Compute/virtualMachines","policyId":"[parameters(''backupPolicyId'')]","sourceResourceId":"[parameters(''sourceResourceId'')]"}}]},"parameters":{"backupPolicyId":{"value":"[parameters(''backupPolicyId'')]"},"fabricName":{"value":"[parameters(''fabricName'')]"},"protectionContainers":{"value":"[parameters(''protectionContainers'')]"},"protectedItems":{"value":"[parameters(''protectedItems'')]"},"sourceResourceId":{"value":"[parameters(''sourceResourceId'')]"}}}}]},"parameters":{"backupPolicyId":{"value":"[parameters(''backupPolicyId'')]"},"fabricName":{"value":"Azure"},"protectionContainers":{"value":"[concat(''iaasvmcontainer;iaasvmcontainerv2;'', + resourceGroup().name, '';'' ,field(''name''))]"},"protectedItems":{"value":"[concat(''vm;iaasvmcontainerv2;'', + resourceGroup().name, '';'' ,field(''name''))]"},"sourceResourceId":{"value":"[concat(''/subscriptions/'', + subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, + ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft + Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft + Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit + resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Account Management'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''System Audit Policies + - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a9991e6-21be-49f9-8916-a06d934bcf29\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1044 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0abbac52-57cf-450d-8408-1208d0dd9e90\"},{\"properties\":{\"displayName\":\"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft + Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0afce0b3-dd9f-42bb-af28-1e4284ba8311\"},{\"properties\":{\"displayName\":\"Email - notification to subscription owner for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email + notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b15565f-aa9e-48ba-8619-45960f2c314d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b1aa965-7502-41f9-92be-3e2fe7cc392a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1020 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b291ee8-3140-4cad-beb7-568c077c78ce\"},{\"properties\":{\"displayName\":\"Key - Vault objects should be recoverable\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft + Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft + Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key + Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object - is deleted. When 'Purge protection' is on, a vault or an object in deleted + is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"equals\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1115 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b653845-2ad9-4e09-a4f3-5a7c1d78353d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1239 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0be51298-f643-4556-88af-d7db90794879\"},{\"properties\":{\"displayName\":\"Ensure - API app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0c192fe8-9cbb-4516-85b3-0ade8bd03886\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1496 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ca96127-2f87-46ab-a4fc-0d2a786df1c8\"},{\"properties\":{\"displayName\":\"SQL - server TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft + Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft + Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure + API app has ''Client Certificates (Incoming client certificates)'' set to + ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft + Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/servers/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d134df8-db83-46fb-ad72-fe0c9428c8dd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1518 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d58f734-c052-40e9-8b2f-a1c2bff0b815\"},{\"properties\":{\"displayName\":\"Microsoft + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft + Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity - Checks\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d87c70b-5012-48e9-994b-e70dd4b8def0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1466 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d943a9c-a6f1-401f-a792-740cdb09c451\"},{\"properties\":{\"displayName\":\"[Preview]: + Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft + Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard - is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which Windows Defender Exploit Guard - is not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0da106f2-4ca3-48e8-bc85-c638fe6aea8f\"},{\"properties\":{\"displayName\":\"Microsoft + is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines on which Windows Defender Exploit Guard is not enabled. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary - Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0dced7ab-9ce5-4137-93aa-14c13e06ab17\"},{\"properties\":{\"displayName\":\"[Preview]: - Authorized IP ranges should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Restrict + Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: + Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"field\":\"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e60b895-3786-45da-8377-9c6b4b6ac5f9\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for MariaDB\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMariaDB/servers\"},{\"field\":\"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ec47710-77ff-4a3d-9181-6aa50af424d0\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to enable Guest Configuration Policy on Windows VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy + prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforWindows\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforWindows\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ecd903d-91e7-4726-83d3-a229d7f2e293\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1601 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1476 - Fire Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f3c4ac2-3e35-4906-a80b-473b12a622d7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1204 - Access Restrictions For Change | Review System Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f4f6750-d1ab-4a4c-8dfd-af3237682665\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1430 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f559588-5e53-4b14-a7c4-85d28ebc2234\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1574 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f935dab-83d6-47b8-85ef-68b8584161b9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1164 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fb8d3ce-9e96-481c-9c68-88d4e3019310\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1017 - Account Management | Inactivity Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fc3db37-e59a-48c1-84e9-1780cedb409e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1087 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"100c82ba-42e9-4d44-a2ba-94b209248583\"},{\"properties\":{\"displayName\":\"[Preview]: + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft + Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft + Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft + Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft + Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft + Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft + Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft + Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft + Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified - certificates in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification - Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). It also creates + Authorities certificate store (Cert:\\LocalMachine\\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateThumbprints\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints\",\"description\":\"A semicolon-separated list of - certificate thumbprints that should exist under the Trusted Root certificate - store (Cert:\\\\LocalMachine\\\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', - '=', parameters('CertificateThumbprints')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsCertificateInTrustedRoot\"},\"CertificateThumbprints\":{\"value\":\"[parameters('CertificateThumbprints')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateThumbprints\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"106ccbe4-a791-4f33-a44a-06796944b8d5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1554 - Vulnerability Scanning | Discoverable Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10984b4e-c93e-48d7-bf20-9c03b04e9eca\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the Function - App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft + Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the Function + App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10c1859c-e1a7-4df3-ab97-a487fa8059f6\"},{\"properties\":{\"displayName\":\"Custom - subscription owner roles should not exist\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that no custom subscription owner roles exist.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"},{\"anyOf\":[{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions.actions[*]\",\"notEquals\":\"*\"}}]},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notIn\":[\"[concat(subscription().id,'/')]\",\"[subscription().id]\",\"/\"]}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notLike\":\"/providers/Microsoft.Management/*\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1230 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11158848-f679-4e9b-aa7b-9fb07d945071\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1432 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1140e542-b80d-4048-af45-3f7245be274b\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Dependency Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom + subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft + Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft + Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: + Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11ac78e3-31bc-4f0c-8434-37ab963cea07\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1655 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"121eab72-390e-4629-a7e2-6d6184f57c6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1681 - Malicious Code Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12623e7e-4736-4b2e-b776-c1600f35f93a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1240 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"129eb39f-d79a-4503-84cd-92f036b5e429\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft + Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft + Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft + Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - System objects'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemobjects\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ae2d24-3805-4b37-9fa9-465968bfbcfa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1666 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12e30ee3-61e6-4509-8302-a871e8ebb91e\"},{\"properties\":{\"displayName\":\"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft + Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines + installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"installedApplication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the applications that should be installed. e.g. 'Microsoft - SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL - Server 2014*' (to match any application starting with 'Microsoft SQL Server - 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]bwhitelistedapp;Name', - '=', parameters('installedApplication')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WhitelistedApplication\"},\"installedApplication\":{\"value\":\"[parameters('installedApplication')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"installedApplication\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + names (supports wildcards)","description":"A semicolon-separated list of the + names of the applications that should be installed. e.g. ''Microsoft SQL Server + 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) - | Acceptance Of PIV Creds. From Other Agys.\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"131a2706-61e9-4916-a164-00e052056462\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1450 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"134d7a13-ba3e-41e2-b236-91bfcfa24e01\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1184 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1085 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d117e0-38b0-4bbb-aaab-563be5dd10ba\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1404 - Maintenance Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d8f903-0cd6-449f-a172-50f6579c182b\"},{\"properties\":{\"displayName\":\"Microsoft + | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft + Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft + Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft + Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft + Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion - Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13fcf812-ec82-4eda-9b89-498de9efd620\"},{\"properties\":{\"displayName\":\"Deploy + Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains - any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members - to exclude\",\"description\":\"A semicolon-separated list of members that - should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', - '=', parameters('MembersToExclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToExclude\"},\"MembersToExclude\":{\"value\":\"[parameters('MembersToExclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToExclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"144f1397-32f9-4598-8c88-118decc3ccba\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1157 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"15495367-cf68-464c-bbc3-f53ca5227b7a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1491 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1571dd40-dafc-4ef4-8f55-16eba27efc7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1564 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"157f0ef9-143f-496d-b8f9-f8c8eeaad801\"},{\"properties\":{\"displayName\":\"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members + to exclude","description":"A semicolon-separated list of members that should + be excluded in the Administrators local group. Ex: Administrator; myUser1; + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft + Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft + Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password - age of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16390df4-2f73-4b42-af13-c801066763df\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1662 - Fail In Known State\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"165cb91f-7ea8-4ab7-beaf-8636b98c9d15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1684 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16bfdb59-db38-47a5-88a9-2e9371a638cf\"},{\"properties\":{\"displayName\":\"Show + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft + Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft + Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell - modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + modules installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16f9b37c-4408-4c30-bc17-254958f2e2d6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1103 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16feeb31-6377-437e-bbab-d7f73911896d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1007 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17200329-bf6c-46d8-ac6d-abf4641c2add\"},{\"properties\":{\"displayName\":\"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft + Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) - | Use Of FICAM-Approved Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17641f70-94cd-4a5d-a613-3d1143e20e34\"},{\"properties\":{\"displayName\":\"Deploy - associations for a managed application\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy + associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Managed Application\"},\"parameters\":{\"targetManagedApplicationId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Managed - application ID\",\"description\":\"Resource ID of the managed application - to which resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - types to associate\",\"description\":\"The list of resource types to be associated - to the managed application.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association - name prefix\",\"description\":\"Prefix to be added to the name of the association - resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), - '-', uniqueString(parameters('targetManagedApplicationId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetManagedApplicationId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), - '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), - '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetManagedApplicationId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, - '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetManagedApplicationId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetManagedApplicationId\":{\"value\":\"[parameters('targetManagedApplicationId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17763ad9-70c0-4794-9397-53d765932634\"},{\"properties\":{\"displayName\":\"Transparent - Data Encryption on SQL databases should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which + resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource + types to associate","description":"The list of resource types to be associated + to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association + name prefix","description":"Prefix to be added to the name of the association + resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), + ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetManagedApplicationId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), + ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), + ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', + uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, + ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent data encryption should be enabled to protect data-at-rest and meet compliance - requirements\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"enabled\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17k78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1325 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1845796a-7581-49b2-ae20-443121538e19\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1480 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18a767cc-1947-4338-a240-bc058c81164f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1369 - Incident Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18cc35ed-a429-486d-8d59-cb47e87304ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1269 - Alternate Storage Site | Separation From Primary Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"19b9439d-865d-4474-b17d-97d2702fdb66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1071 - Wireless Access | Restrict Configurations By Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a437f5b-9ad6-4f28-8861-de404d511ae4\"},{\"properties\":{\"displayName\":\"Azure - Monitor log profile should collect logs for categories 'write,' 'delete,' - and 'action'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that a log profile collects logs for categories 'write,' 'delete,' - and 'action'\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logprofiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Write\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Delete\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Action\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a4e592a-6a6e-44a5-9814-e36264ca96e7\"},{\"properties\":{\"displayName\":\"[Preview]: - Access to App Services should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft + Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft + Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft + Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft + Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft + Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure + Monitor log profile should collect logs for categories ''write,'' ''delete,'' + and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy + ensures that a log profile collects logs for categories ''write,'' ''delete,'' + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: + Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToAppServices\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a833ff1-d297-4a0f-9944-888428f8e0ff\"},{\"properties\":{\"displayName\":\"Vulnerability - assessment should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1b7aa243-30e4-4c9e-bca8-d0d3022b634a\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","type":"Microsoft.Authorization/policyDefinitions","name":"1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c210e94-a481-4beb-95fa-1571b434fb04\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1ca29e41-34ec-4e70-aba9-6248aca18c31\"},{\"properties\":{\"displayName\":\"Microsoft + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft + Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative - Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1cb067d5-c8b5-4113-a7ee-0a493633924b\"},{\"properties\":{\"displayName\":\"Microsoft + Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests - Of Consumers And Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d01ba6c-289f-42fd-a408-494b355b6222\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1088 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d50f99d-1356-49c0-934a-45f742ba7783\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1538 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d7658b2-e827-49c3-a2ae-6d2bd0b45874\"},{\"properties\":{\"displayName\":\"Virtual - machines should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft + Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft + Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual + machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachines\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicCompute/virtualMachines\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d84d5fb-01f6-4d12-ba4f-4a26081d403d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1298 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1dc784b5-4895-4d27-9d40-a06b032bd1ee\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft + Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1de7b11d-1870-41a5-8181-507e7c663cfb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1595 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e0414e7-6ef5-4182-8076-aa82fbb53341\"},{\"properties\":{\"displayName\":\"Require - tag and its value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces - a required tag and its value. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"equals\":\"[parameters('tagValue')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e30110a-5ceb-460c-a204-c1c3969c6d62\"},{\"properties\":{\"displayName\":\"An - Azure Active Directory administrator should be provisioned for SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require + tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An + Azure Active Directory administrator should be provisioned for SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/administrators\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f314764-cb73-4fc9-b863-8eca98ac36e9\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Event Hub to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f6e93e8-6b31-41b1-83f6-36e449a42579\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Shutdown'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Shutdown: Allow system to be shut down without having to log on\",\"description\":\"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen.\"},\"defaultValue\":\"0\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Shutdown: Clear virtual memory pagefile\",\"description\":\"Specifies whether + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this - could result in substantial time needed to complete the shutdown.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Shutdown: - Allow system to be shut down without having to log on;ExpectedValue', '=', - parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'), ',', 'Shutdown: - Clear virtual memory pagefile;ExpectedValue', '=', parameters('ShutdownClearVirtualMemoryPagefile')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsShutdown\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},\"ShutdownClearVirtualMemoryPagefile\":{\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"string\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: - Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: - Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: - Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: - Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f8c20ce-3414-4496-8b26-0e902a1541da\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1616 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2006457a-48b3-4f7b-8d2e-1532287f9929\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1650 - Public Key Infrastructure Certificates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201d3740-bd16-4baf-b4b8-7cda352228b7\"},{\"properties\":{\"displayName\":\"Web - ports should be restricted on Network Security Groups associated to your VM\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + Allow system to be shut down without having to log on;ExpectedValue'', ''='', + parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft + Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft + Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201ea587-7c90-41c3-910f-c280ae01cfd6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21839937-d241-4fa5-95c6-b669253d9ab9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1111 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21de687c-f15e-4e51-bf8d-f35c8619965b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1596 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e25e01-0ae0-41be-919e-04ce92b8e8b8\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Audit'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e2995e-683e-497a-9e81-2f42ad07050a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1426 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21f639bc-f42b-46b1-8f40-7a2a389c291a\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft + Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft + Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft + Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Audit''. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: + Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"224da9fe-0d38-4e79-adb3-0a6e2af942ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1399 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2256e638-eb23-480f-9e15-6cf1af0a76b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22589a07-0007-486a-86ca-95355081ae2a\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Account Management''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Account Management'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"225e937e-d32e-4713-ab74-13ce95b3519a\"},{\"properties\":{\"displayName\":\"Management - ports should be closed on your virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Open + category: ''System Audit Policies - Account Management''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToManagementPorts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22730e10-96f6-4aac-ad84-9383d35b5917\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1493 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22b469b3-fccf-42da-aa3b-a28e6fb113ce\"},{\"properties\":{\"displayName\":\"Only - secure connections to your Redis Cache should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft + Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cache\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Cache/redis\"},{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22bee202-a82f-4305-9a2a-6d7f44d4dedb\"},{\"properties\":{\"displayName\":\"[Preview]: + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum - password length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordLength\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23020aa6-1135-4be2-bae2-149982b06eca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1256 - Contingency Plan | Identify Critical Assets\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"232ab24b-810b-4640-9019-74a7d0d6a980\"},{\"properties\":{\"displayName\":\"Service - Bus should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft + Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service + Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"235359c5-7c52-4b82-9055-01c75cf9f60e\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1268 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23f6e984-3053-4dfc-ab48-543b764781f5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"243ec95e-800c-49d4-ba52-1fdd9f6b8b57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1231 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"244e0c05-cc45-4fe7-bf36-42dcf01f457d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1082 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24d480ef-11a0-4b1b-8e70-4e023bf2be23\"},{\"properties\":{\"displayName\":\"[Preview]: + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft + Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft + Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft + Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft + Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age - of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have a maximum password age - of 70 days. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24dde96d-f0b1-425e-884f-4a1421e2dcdc\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have a maximum password age of 70 days. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25763a0a-5783-4f14-969e-79d4933eb74b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1372 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25b96717-c912-4c00-9143-4e487f411726\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1038 - Least Privilege | Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\"},{\"properties\":{\"displayName\":\"Endpoint - protection solution should be installed on virtual machine scale sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft + Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft + Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint + protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EndpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26a828e1-e88f-464e-bbb3-c134a282b9de\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1649 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26d292cc-b0b8-4c29-9337-68abc758bf7b\"},{\"properties\":{\"displayName\":\"Metric - alert rules should be configured on Batch accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft + Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric + alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"metricName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Metric - name\",\"description\":\"The metric name that an alert rule must be enabled - on\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/alertRules\",\"existenceScope\":\"Subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/alertRules/isEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.metricName\",\"equals\":\"[parameters('metricName')]\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.resourceUri\",\"equals\":\"[concat('/subscriptions/', - subscription().subscriptionId, '/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Batch/batchAccounts/', - field('name'))]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1396 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"276af98f-4ff9-4e69-99fb-c9b2452fb85f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1074 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"27a69937-af92-4198-9b86-08d355c7e59a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1527 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2823de66-332f-4bfd-94a3-3eb036cd3b67\"},{\"properties\":{\"displayName\":\"Deploy - default Microsoft IaaSAntimalware extension for Windows Server\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric + name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', + subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, + ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft + Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft + Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy + default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"ExclusionsPaths\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of file paths or locations to exclude from scanning\"}},\"ExclusionsExtensions\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of file extensions to exclude from scanning\"}},\"ExclusionsProcesses\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon - delimited list of process names to exclude from scanning\"}},\"RealtimeProtectionEnabled\":{\"type\":\"string\",\"defaultValue\":\"true\",\"metadata\":{\"description\":\"Indicates - whether or not real time protection is enabled (default is true)\"}},\"ScheduledScanSettingsIsEnabled\":{\"type\":\"string\",\"defaultValue\":\"false\",\"metadata\":{\"description\":\"Indicates - whether or not custom scheduled scan settings are enabled (default is false)\"}},\"ScheduledScanSettingsScanType\":{\"type\":\"string\",\"defaultValue\":\"Quick\",\"metadata\":{\"description\":\"Indicates - whether scheduled scan setting type is set to Quick or Full (default is Quick)\"}},\"ScheduledScanSettingsDay\":{\"type\":\"string\",\"defaultValue\":\"7\",\"metadata\":{\"description\":\"Day - of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)\"}},\"ScheduledScanSettingsTime\":{\"type\":\"string\",\"defaultValue\":\"120\",\"metadata\":{\"description\":\"When + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates + whether or not real time protection is enabled (default is true)"}},"ScheduledScanSettingsIsEnabled":{"type":"string","defaultValue":"false","metadata":{"description":"Indicates + whether or not custom scheduled scan settings are enabled (default is false)"}},"ScheduledScanSettingsScanType":{"type":"string","defaultValue":"Quick","metadata":{"description":"Indicates + whether scheduled scan setting type is set to Quick or Full (default is Quick)"}},"ScheduledScanSettingsDay":{"type":"string","defaultValue":"7","metadata":{"description":"Day + of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"}},"ScheduledScanSettingsTime":{"type":"string","defaultValue":"120","metadata":{"description":"When to perform the scheduled scan, measured in minutes from midnight (0-1440). - For example: 0 = 12AM, 60 = 1AM, 120 = 2AM.\"}}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/IaaSAntimalware')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.Azure.Security\",\"type\":\"IaaSAntimalware\",\"typeHandlerVersion\":\"1.3\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"AntimalwareEnabled\":true,\"RealtimeProtectionEnabled\":\"[parameters('RealtimeProtectionEnabled')]\",\"ScheduledScanSettings\":{\"isEnabled\":\"[parameters('ScheduledScanSettingsIsEnabled')]\",\"day\":\"[parameters('ScheduledScanSettingsDay')]\",\"time\":\"[parameters('ScheduledScanSettingsTime')]\",\"scanType\":\"[parameters('ScheduledScanSettingsScanType')]\"},\"Exclusions\":{\"Extensions\":\"[parameters('ExclusionsExtensions')]\",\"Paths\":\"[parameters('ExclusionsPaths')]\",\"Processes\":\"[parameters('ExclusionsProcesses')]\"}}}}]},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"RealtimeProtectionEnabled\":{\"value\":\"true\"},\"ScheduledScanSettingsIsEnabled\":{\"value\":\"true\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2835b622-407b-4114-9198-6f7064cbe0dc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"283a4e29-69d5-4c94-b99e-29acf003c899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1436 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28aab8b4-74fd-4b7c-9080-5a7be525d574\"},{\"properties\":{\"displayName\":\"Microsoft + For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft + Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft + Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During - Installations / Removals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1148 - Security Assessments | Independent Assessors\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e62650-c7c2-4786-bdfa-17edc1673902\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e633fd-284e-4ea7-88b4-02ca157ed713\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"292a7c44-37fa-4c68-af7c-9d836955ded2\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft + Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft + Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + User Account Control''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - User Account Control'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"29829ec2-489d-4925-81b7-bda06b1718e0\"},{\"properties\":{\"displayName\":\"Append - tag and its default value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + category: ''Security Options - User Account Control''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource - groups. New 'modify' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a0e14a6-b0a6-4fab-991a-187a4f81c498\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a39ac75-622b-4c88-9a3f-45b7373f7ef7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1274 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2aee175f-cd16-4825-939a-a85349d96210\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1603 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b909c26-162f-47ce-8e15-0c1f55632eac\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b9ad585-36bc-4615-b300-fd4435808332\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1434 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c251a55-31eb-4e53-99c6-e9c43c393ac2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1388 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1344 - Authenticator Feedback\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c895fe7-2d8e-43a2-838c-3a533a5b355e\"},{\"properties\":{\"displayName\":\"SSH - access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits any network security rule that allows SSH access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"22\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), - contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), - contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))))),22), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), - contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), - contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))))),22), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"22\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fab\"},{\"properties\":{\"displayName\":\"Unattached - disks should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any unattached disk without encryption enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/disks\"},{\"field\":\"Microsoft.Compute/disks/diskState\",\"equals\":\"Unattached\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fb2\"},{\"properties\":{\"displayName\":\"Microsoft + groups. New ''modify'' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft + Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft + Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft + Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed + identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft + Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft + Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft + Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft + Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached + disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, - Storage, And Service Location\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1546 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce1ea7e-4038-4e53-82f4-63e8859333c1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1414 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1679 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cf42a28-193e-41c5-98df-7688e7ef0a88\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1068 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d045bca-a0fd-452e-9f41-4ec33769717c\"},{\"properties\":{\"displayName\":\"App - Service should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft + Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft + Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft + Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App + Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/virtualNetworkConnections\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d21331d-a4c2-4def-a9ad-ee4e1e023beb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1704 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d44b6fa-1134-4ea6-ad4e-9edb68f65429\"},{\"properties\":{\"displayName\":\"[Preview]: + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft + Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible - encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not store passwords using reversible - encryption. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d60d3b7-aa10-454c-88a8-de39d99d17c6\"},{\"properties\":{\"displayName\":\"[Preview]: + encryption","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not store passwords using reversible encryption. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts - without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d67222d-05fd-4526-a171-2ee132ad9e83\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1077 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2dad3668-797a-412e-a798-07d3849a7a79\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1149 - Security Assessments | Specialized Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e1b855b-a013-481a-aeeb-2bcb129fd35d\"},{\"properties\":{\"displayName\":\"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft + Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other - Organizational Entities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e3c5583-1729-4d36-8771-59c32f090a22\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1000 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ef3cc79-733e-48ed-ab6f-7bf439e9b406\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1519 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f13915a-324c-4ab8-b45c-2eefeeefb098\"},{\"properties\":{\"displayName\":\"[Preview]: + Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft + Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual - machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable Dependency Agent for Windows - VMs monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f2ee1de-44aa-4762-b6bd-0893fc3f306d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1144 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fa15ff1-a693-4ee4-b094-324818dc9a51\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1090 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fb740e5-cbc7-4d10-8686-d1bf826652b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Web Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft + Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: + Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fde8a98-6892-426a-83ba-050e640c0ce0\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Network Access'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"30040dab-4e75-4456-8273-14b8f75d91d9\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''Security Options - Network Access''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"DomainName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Domain - Name (FQDN)\",\"description\":\"The fully qualified domain name (FQDN) that - the Windows VMs should be joined to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[DomainMembership]WindowsDomainMembership;DomainName', - '=', parameters('DomainName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDomainMembership\"},\"DomainName\":{\"value\":\"[parameters('DomainName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DomainName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"315c850a-272d-4502-8935-b79010405970\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + Name (FQDN)","description":"The fully qualified domain name (FQDN) that the + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft + Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing - Greater Risk\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"31b752c1-05a9-432a-8fce-c39b56550119\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32133ab0-ee4b-4b44-98d6-042180979d50\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1587 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32820956-9c6d-4376-934c-05cd8525be7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1333 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\"},{\"properties\":{\"displayName\":\"Deploy + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft + Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft + Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not - installed and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the specified services are not installed and 'Running'. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding + on which the specified services are not installed and ''Running''. It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ServiceName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Service - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the services that should be installed and 'Running'. e.g. - 'WinRm;Wi*'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsServiceStatus]WindowsServiceStatus1;ServiceName', - '=', parameters('ServiceName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsServiceStatus\"},\"ServiceName\":{\"value\":\"[parameters('ServiceName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ServiceName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32b1e4d4-6cd5-47b4-a935-169da8a5c262\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1445 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32d07d59-2716-4972-b37b-214a67ac4a37\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1282 - Telecommunications Services | Single Points Of Failure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34042a97-ec6d-4263-93d2-8c1c46823b2a\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service + names (supports wildcards)","description":"A semicolon-separated list of the + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft + Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft + Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid232\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3470477a-b35a-49db-aca5-1073d04524fe\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1151 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"347e3b69-7fb7-47df-a8ef-71a1a7b44bca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1412 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3492d949-0dbb-4589-88b3-7b59601cc764\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1475 - Emergency Lighting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a63848-30cf-4081-937e-ce1a1c885501\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1060 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a987fd-2003-45de-a120-014956581f2b\"},{\"properties\":{\"displayName\":\"Audit - unrestricted network access to storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft + Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft + Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft + Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit + unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"equals\":\"Allow\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34c877ad-507e-4c82-993e-3452a6e0ad3c\"},{\"properties\":{\"displayName\":\"Microsoft + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System - Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34cb7e92-fe4c-4826-b51e-8cd203fa5d35\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Logic Apps should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic + logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Logic - Apps\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34f95f76-5386-4de7-b824-0d8478470c9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1210 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3502c968-c490-4570-8167-1476f955e9b8\"},{\"properties\":{\"displayName\":\"[Preview]: + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password - age of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MaximumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"356a906e-05e5-4625-8729-90771e0ee934\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS + should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\"},{\"properties\":{\"displayName\":\"Microsoft + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution - Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35a4102f-a778-4a2e-98c2-971056288df8\"},{\"properties\":{\"displayName\":\"Gateway - subnets should not be configured with a network security group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway + subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},{\"field\":\"name\",\"equals\":\"GatewaySubnet\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35f9c03a-cc27-418e-9c0c-539ff999d010\"},{\"properties\":{\"displayName\":\"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From - Executing Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361a77f6-0f9c-4748-8eec-bc13aaaa2455\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Threat Protection on Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables Advanced Threat Protection on Storage Accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"storageAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('storageAccountName'), - '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"storageAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361c2074-3595-4e5d-8cab-4f21dffc835c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1313 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36220f5b-79a1-4cdb-8c74-2d2449f9a510\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1630 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3643717a-3897-4bfd-8530-c7c96b26b2a0\"},{\"properties\":{\"displayName\":\"Automation - account variables should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy + Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), + ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft + Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft + Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation + account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Automation\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Automation/automationAccounts/variables\"},{\"field\":\"Microsoft.Automation/automationAccounts/variables/isEncrypted\",\"notEquals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3657f5a0-770e-44a3-b44e-9431ba1e9735\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1339 - Authenticator Management | Protection Of Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"367ae386-db7f-4167-b672-984ff86277c0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1685 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36b0ef30-366f-4b1b-8652-a3511df11f53\"},{\"properties\":{\"displayName\":\"Deploy - Threat Detection on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy ensures that Threat Detection is enabled on SQL Servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36d49e87-48c4-4f2e-beed-ba4ed02b71f5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft + Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft + Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy + Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Network Security'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network Security: Configure encryption types allowed for Kerberos\",\"description\":\"Specifies - the encryption types that Kerberos is allowed to use.\"},\"defaultValue\":\"2147483644\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network security: LAN Manager authentication level\",\"description\":\"Specify + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication - accepted by servers.\"},\"defaultValue\":\"5\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network security: LDAP client signing requirements\",\"description\":\"Specify + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify the level of data signing that is requested on behalf of clients that issue - LDAP BIND requests.\"},\"defaultValue\":\"1\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: Network security: Minimum session security for NTLM SSP based (including secure - RPC) clients\",\"description\":\"Specifies which behaviors are allowed by - clients for applications using the NTLM Security Support Provider (SSP). The - SSP Interface (SSPI) is used by applications that need authentication services. - See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information.\"},\"defaultValue\":\"537395200\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: Network security: Minimum session security for NTLM SSP based (including secure - RPC) servers\",\"description\":\"Specifies which behaviors are allowed by - servers for applications using the NTLM Security Support Provider (SSP). The - SSP Interface (SSPI) is used by applications that need authentication services.\"},\"defaultValue\":\"537395200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue', - '=', parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'), - ',', 'Network security: LAN Manager authentication level;ExpectedValue', '=', - parameters('NetworkSecurityLANManagerAuthenticationLevel'), ',', 'Network - security: LDAP client signing requirements;ExpectedValue', '=', parameters('NetworkSecurityLDAPClientSigningRequirements'), - ',', 'Network security: Minimum session security for NTLM SSP based (including - secure RPC) clients;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'), - ',', 'Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkSecurity\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"string\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"string\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network - security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network - security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue'', + ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), + '','', ''Network security: LAN Manager authentication level;ExpectedValue'', + ''='', parameters(''NetworkSecurityLANManagerAuthenticationLevel''), '','', + ''Network security: LDAP client signing requirements;ExpectedValue'', ''='', + parameters(''NetworkSecurityLDAPClientSigningRequirements''), '','', ''Network security: Minimum session security for NTLM SSP based (including secure RPC) - clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), + '','', ''Network security: Minimum session security for NTLM SSP based (including + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network - security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network - security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36e17963-7202-494a-80c3-f508211c826b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36fbe499-f2f2-41b6-880e-52d7ea1d94a5\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft + Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Interactive Logon'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsInteractiveLogon\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3750712b-43d0-478e-9966-d2c26f6141b9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1624 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37d079e3-d6aa-4263-a069-dd7ac6dd9684\"},{\"properties\":{\"displayName\":\"Storage - accounts should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft + Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage + accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicStorage/storageAccounts\",\"Microsoft.Storage/StorageAccounts\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicStorage/storageAccounts\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37e0d2fe-28a5-43d6-a273-67d37d1f5606\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1335 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"382016f3-d4ba-4e15-9716-55077ec4dc2a\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in IoT Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft + Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic + logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Internet - of Things\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Devices/IotHubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"383856f8-de7f-44a2-81fc-e5135b5c2aa4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1081 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3867f2a9-23bb-4729-851f-c3ad98580caf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1522 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38b470cc-f939-4a15-80e0-9f0c74f2e2c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38dfd8a3-5290-4099-88b7-4081f4c4d8ae\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1397 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391af4ab-1117-46b9-b2c7-78bbd5cd995b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391ff8b3-afed-405e-9f7d-ef2f8168d5da\"},{\"properties\":{\"displayName\":\"Advanced + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft + Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft + Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address - to receive security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send alerts to' field in the Advanced - Data Security server settings. This email address receives alert notifications - when anomalous activities are detected on SQL managed instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1232 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"396ba986-eac1-4d6d-85c4-d3fda6b78272\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1246 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"398eb61e-8111-40d5-a0c9-003df28f1753\"},{\"properties\":{\"displayName\":\"FTPS - only should be required in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399b2637-a50f-4f95-96f8-3a145476eb15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1680 - Malicious Code Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399cd6ee-0e18-41db-9dea-cde3bd712f38\"},{\"properties\":{\"displayName\":\"Microsoft + to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send alerts to'' field in the + Advanced Data Security server settings. This email address receives alert + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft + Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft + Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS + only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft + Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"39c54140-5902-4079-8bb5-ad31936fe764\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1039 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1648 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a9eb14b-495a-4ebb-933c-ce4ef5264e32\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1315 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3aa87116-f1a1-4edb-bfbf-14e036f8d454\"},{\"properties\":{\"displayName\":\"[Preview]: - Pod Security Policies should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Define + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft + Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft + Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft + Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: + Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3abeb944-26af-43ee-b83d-32aaf060fb94\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1548 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3afe6c78-6124-4d95-b85c-eb8c0c9539cb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1003 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b68b179-3704-4ff7-b51d-7d65374d165d\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Security operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits specific Security operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Security Operation name for which activity log alert - should exist\"},\"allowedValues\":[\"Microsoft.Security/policies/write\",\"Microsoft.Security/securitySolutions/write\",\"Microsoft.Security/securitySolutions/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Security\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b980d31-7904-4bb7-8575-5665739a8052\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft + Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft + Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3be22e3b-d919-47aa-805e-8985dbeb0ad9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c1b3629-c8f8-4bf6-862c-037cb9094038\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in security configuration on your virtual machine scale sets should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities + in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OsVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1621 - Resource Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cb9f731-744a-4691-a481-ca77b0411538\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1521 - Personnel Termination | Automated Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1127 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3ce328db-aef3-48ed-9f81-2ab7cf839c66\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Search Services to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft + Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft + Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft + Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d5da587-71bd-41f5-ac95-dd3330c2d58d\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Devices'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d7b154e-2700-4c8c-9e46-cb65ac1578c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Deploy default Log Analytics Agent for Ubuntu VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d","type":"Microsoft.Authorization/policyDefinitions","name":"3d5da587-71bd-41f5-ac95-dd3330c2d58d"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Devices''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Devices''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Compute\",\"deprecated\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Log Analytics workspace\",\"description\":\"Select Log Analytics workspace - from dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\",\"16.04-LTS\",\"16.04.0-LTS\",\"14.04.2-LTS\",\"12.04.5-LTS\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/omsPolicy')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"type\":\"OmsAgentForLinux\",\"typeHandlerVersion\":\"1.4\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - monitoring for Linux VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1385 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e495e65-8663-49ca-9b38-9f45e800bc58\"},{\"properties\":{\"displayName\":\"Azure - Monitor solution 'Security and Audit' must be deployed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that Security and Audit is deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.OperationsManagement/solutions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.OperationsManagement/solutions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"name\",\"like\":\"Security(*)\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e596b57-105f-48a6-be97-03e9243bad6e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1160 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e797ca6-2aa8-4333-b335-7036f1110c05\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1545 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f4b171a-a56b-4328-8112-32cf7f947ee1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1179 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft + Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure + Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft + Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft + Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft + Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fe37002-5d00-4b37-a301-da09e3a0ca66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1561 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40364c3f-c331-4e29-b1e3-2fbe998ba2f5\"},{\"properties\":{\"displayName\":\"Secure - transfer to storage accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure + transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"404c3081-a854-4457-ae30-26a93ef643f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1100 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4057863c-ca7d-47eb-b1e0-503580cba8a4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1637 - Boundary Protection | Fail Secure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4075bedc-c62a-4635-bede-a01be89807f3\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft + Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft + Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - System'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AlwaysUseClassicLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always use classic logon\",\"description\":\"Specifies whether to force the - user to log on to the computer using the classic logon screen. This setting - only works when the computer is not on a domain.\"},\"defaultValue\":\"0\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Boot-Start Driver Initialization Policy\",\"description\":\"Specifies which - boot-start drivers are initialized based on a classification determined by - an Early Launch Antimalware boot-start driver.\"},\"defaultValue\":\"3\"},\"EnableWindowsNTPClient\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enable Windows NTP Client\",\"description\":\"Specifies whether the Windows - NTP Client is enabled. Enabling the Windows NTP Client allows your computer - to synchronize its computer clock with other NTP servers.\"},\"defaultValue\":\"1\"},\"TurnOnConveniencePINSignin\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn on convenience PIN sign-in\",\"description\":\"Specifies whether a domain - user can sign in using a convenience PIN.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Always - use classic logon;ExpectedValue', '=', parameters('AlwaysUseClassicLogon'), - ',', 'Boot-Start Driver Initialization Policy;ExpectedValue', '=', parameters('BootStartDriverInitializationPolicy'), - ',', 'Enable Windows NTP Client;ExpectedValue', '=', parameters('EnableWindowsNTPClient'), - ',', 'Turn on convenience PIN sign-in;ExpectedValue', '=', parameters('TurnOnConveniencePINSignin')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesSystem\"},\"AlwaysUseClassicLogon\":{\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},\"BootStartDriverInitializationPolicy\":{\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},\"EnableWindowsNTPClient\":{\"value\":\"[parameters('EnableWindowsNTPClient')]\"},\"TurnOnConveniencePINSignin\":{\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AlwaysUseClassicLogon\":{\"type\":\"string\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"string\"},\"EnableWindowsNTPClient\":{\"type\":\"string\"},\"TurnOnConveniencePINSignin\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always - use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start - Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable - Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn - on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always - use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start - Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable - Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn - on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40917425-69db-4018-8dae-2a0556cef899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1202 - Access Restrictions For Change\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40a2a83b-74f2-4c02-ae65-f460a5d2792a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1438 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40fcc635-52a2-4dbc-9523-80a1f4aa1de6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1365 - Incident Handling | Continuity Of Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4116891d-72f7-46ee-911c-8056cc8dcbd5\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), + '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), + '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft + Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft + Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft + Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential - Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"411f7e2d-9a0b-4627-a0b9-1700432db47d\"},{\"properties\":{\"displayName\":\"Microsoft + Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance - Equipment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41256567-1795-4684-b00b-a1308ce43cac\"},{\"properties\":{\"displayName\":\"Azure - Monitor should collect activity logs from all regions\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure + Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiasoutheast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"brazilsouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francesouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japaneast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japanwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreasouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricanorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricawest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southeastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaenorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uksouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"ukwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"global\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1263 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41472613-3b05-49f6-8fe8-525af113ce17\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1096 - Role-Based Security Training | Practical Exercises\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"420c1477-aa43-49d0-bd7e-c4abdd9addff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1260 - Contingency Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42254fc4-2738-4128-9613-72aaa4f0d9c3\"},{\"properties\":{\"displayName\":\"Microsoft + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft + Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft + Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft + Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications - Traffic Anomalies\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"426c4ac9-ff17-49d0-acd7-a13c157081c0\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Batch accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic + logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"428256e6-1fac-4f48-a757-df34c2b3336d\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Detailed Tracking'. It also creates a system-assigned managed identity and - deploys the VM extension for Guest Configuration. This policy should only + with non-compliant settings in Group Policy category: ''System Audit Policies + - Detailed Tracking''. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditProcessTermination\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Process Termination\",\"description\":\"Specifies whether audit events - are generated when a process has exited. Recommended for monitoring termination - of critical processes.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Process Termination;ExpectedValue', '=', parameters('AuditProcessTermination')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\"},\"AuditProcessTermination\":{\"value\":\"[parameters('AuditProcessTermination')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditProcessTermination\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a07bbf-ffcf-459a-b4b1-30ecd118a505\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1174 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a9a714-8fbb-43ac-b115-ea12d2bd652f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1137 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4344df62-88ab-4637-b97b-bcaf2ec97e7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"435b2547-6374-4f87-b42d-6e8dbe6ae62a\"},{\"properties\":{\"displayName\":\"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft + Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft + Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft + Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior - To New Scan / When Identified\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43684572-e4f1-4642-af35-6b933bc506da\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - System settings'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + with non-compliant settings in Group Policy category: ''Security Options - + System settings''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: System settings: Use Certificate Rules on Windows Executables for Software - Restriction Policies\",\"description\":\"Specifies whether digital certificates + Restriction Policies","description":"Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you - must enable this policy setting.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('System + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue', '=', parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemsettings\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"437a1f8f-8552-47a8-8b12-a2fee3269dd5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1544 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43ced7c9-cd53-456b-b0da-2522649a4271\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1398 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor permissive network access in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft + Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft + Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"permissiveNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44452482-524f-4bf4-b852-0bff7cc4a3ed\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1066 - Remote Access | Disconnect / Disable Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4455c2e8-c65d-4acf-895e-304916f90b36\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1720 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44b9a7cd-f36a-491a-a48b-6d04ae7c4221\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1334 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44bfdadc-8c2e-4c30-9c99-f005986fabcd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1604 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44dbba23-0b61-478e-89c7-b3084667782f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1712 - Software, Firmware, And Information Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44e543aa-41db-42aa-98eb-8a5eb1db53f0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1310 - Device Identification And Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"450d7ede-823d-4931-a99d-57f6a38807dc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1559 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45692294-f074-42bd-ac54-16f1a3c07554\"},{\"properties\":{\"displayName\":\"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft + Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft + Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft + Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft + Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft + Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft + Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols - / Services In Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45b7b644-5f91-498e-9d89-7402532d3645\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1565 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45ce2396-5c76-4654-9737-f8792ab3d26b\"},{\"properties\":{\"displayName\":\"Microsoft + / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft + Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party - Registration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"463e5220-3f79-4e24-a63f-343e4096cd22\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Require SQL Server version 12.0\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Registration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: + Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},{\"not\":{\"field\":\"Microsoft.Sql/servers/version\",\"equals\":\"12.0\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\"},{\"properties\":{\"displayName\":\"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational - Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dc8ce-2200-4720-87a5-dc5952924cc6\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46544d7b-1f0d-46f5-81da-5c1351de1b06\"},{\"properties\":{\"displayName\":\"Require - automatic OS image patching on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade\",\"notEquals\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade\",\"notEquals\":\"True\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f0161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1368 - Incident Handling | Correlation With External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f32da-0ace-4603-8d1b-7be5a3a702de\"},{\"properties\":{\"displayName\":\"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity - Using Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4708723f-e099-4af1-bbf9-b6df7642e444\"},{\"properties\":{\"displayName\":\"Automatic + Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your - subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable - automatic provisioning of the Log Analytics monitoring agent in order to collect - security data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/autoProvisioningSettings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/autoProvisioningSettings/autoProvision\",\"equals\":\"On\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"475aae12-b88a-4572-8b36-9b712b2b3a17\"},{\"properties\":{\"displayName\":\"Adaptive - Application Controls should be enabled on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible - Application Whitelist configuration will be monitored by Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"applicationWhitelisting\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47a6b606-51aa-4496-8bb7-64b11cf66adc\"},{\"properties\":{\"displayName\":\"Microsoft + subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic + provisioning of the Log Analytics monitoring agent in order to collect security + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive + Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related - Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47bc7ea0-7d13-4f7c-a154-b903f7194253\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1165 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47e10916-6c9e-446b-b0bd-ff5fd439d79d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1048 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"483e7ca9-82b3-45a2-be97-b93163a0deb7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1033 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48540f01-fc11-411a-b160-42807c68896e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1477 - Fire Protection | Detection Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4862a63c-6c74-4a9d-a221-89af3c374503\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1484 - Water Damage Protection | Automation Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"486b006a-3653-45e8-b41c-a052d3e05456\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft + Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft + Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft + Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft + Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48893b84-a2c8-4d9a-badf-835d5d1b7d53\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48af4db5-9b8b-401c-8e74-076be876a430\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1669 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48f2f62b-5743-4415-a143-288adc0e078d\"},{\"properties\":{\"displayName\":\"Microsoft + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft + Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External - Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"493a95f3-f2e3-47d0-af02-65e6d6decc2f\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"496223c3-ad65-4ecd-878a-bae78737e9ed\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Audit'. It also creates a system-assigned managed identity and deploys the + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''Security Options - + Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit: Shut down system immediately if unable to log security audits\",\"description\":\"Audits - if the system will shut down when unable to log Security events.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit: - Shut down system immediately if unable to log security audits;ExpectedValue', - '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAudit\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498b810c-59cd-4222-9338-352ba146ccf3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1329 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498f6234-3e20-4b6a-a880-cbd646d973bd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49b99653-32cd-405d-a135-e7d60a9aae1f\"},{\"properties\":{\"displayName\":\"Append - tag and its default value to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Appends + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + Shut down system immediately if unable to log security audits;ExpectedValue'', + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft + Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft + Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append + tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New - 'modify' effect policies are available that support remediation of tags on - existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\"},{\"properties\":{\"displayName\":\"Microsoft + ''modify'' effect policies are available that support remediation of tags + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage - Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49dbe627-2c1e-438c-979e-dd7a39bbf81d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1218 - Least Functionality | Prevent Program Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a1d0394-b9f5-493e-9e83-563fd0ac4df8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1677 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a248e1e-040f-43e5-bff2-afc3a57a3923\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1094 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4b1853e0-8973-446b-b567-09d901d31a09\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c090801-59bc-4454-bb33-e0455133486a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1364 - Incident Handling | Dynamic Reconfiguration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c615c2a-dc83-4dda-8220-abce7b50c9bc\"},{\"properties\":{\"displayName\":\"Microsoft + Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft + Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft + Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft + Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft + Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers - At Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c643c9a-1be7-4016-a5e7-e4bada052920\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1373 - Incident Reporting | Automated Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4cca950f-c3b7-492a-8e8f-ea39663c14f9\"},{\"properties\":{\"displayName\":\"Microsoft + At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft + Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote - Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ce9073a-77fa-48f0-96b1-87aa8e6091c2\"},{\"properties\":{\"displayName\":\"Deploy + Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that do not have the specified applications installed. It also creates a system-assigned + installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Linux virtual machines that + do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names\",\"description\":\"A semicolon-separated list of the names of the applications - that should be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent', - '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), - ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d1c04de-2172-403f-901b-90608c35c721\"},{\"properties\":{\"displayName\":\"FTPS - should be required in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names","description":"A semicolon-separated list of the names of the applications + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', + '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS + should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External - System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d33f9f1-12d0-46ad-9fbd-8f8046694977\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1156 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d52e864-9a3b-41ee-8f03-520815fe5378\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1312 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d6a5968-9eef-4c18-8534-376790ab7274\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft + Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft + Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4daddf25-4823-43d4-88eb-2419eb6dcc08\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1394 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4db56f68-3f50-45ab-88f3-ca46f5379a94\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1702 - Information System Monitoring | Indicators Of Compromise\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4dfc0855-92c4-4641-b155-a55ddd962362\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1001 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e26f8c3-4bf3-4191-b8fc-d888805101b7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1083 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e319cb6-2ca3-4a58-ad75-e67f484e50ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1247 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e666db5-b2ef-4b06-aac6-09bfce49151b\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft + Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft + Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft + Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft + Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft + Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\"},{\"properties\":{\"displayName\":\"Microsoft + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset - Of Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e95f70e-181c-4422-9da2-43079710c789\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1267 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e97ba1d-be5d-4953-8da4-0cccf28f4805\"},{\"properties\":{\"displayName\":\"Microsoft + Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft + Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ebd97f7-b105-4f50-8daf-c51465991240\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1139 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ed62522-de00-4dda-9810-5205733d2f34\"},{\"properties\":{\"displayName\":\"A - maximum of 3 owners should be designated for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft + Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A + maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateLessThanXOwners\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f11b553-d42e-4e3a-89be-32ca364cad4c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1442 - Media Sanitization | Nondestructive Techniques\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f26049b-2c5a-4841-9ff3-d48a26aae475\"},{\"properties\":{\"displayName\":\"Microsoft + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft + Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, - Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f34f554-da4b-4786-8d66-7915c90893da\"},{\"properties\":{\"displayName\":\"A - security contact email address should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A + security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/email\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\"},{\"properties\":{\"displayName\":\"Add - a tag to resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add + a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f9dc7db-30c1-420c-b61a-e1d640128d26\"},{\"properties\":{\"displayName\":\"[Preview] - Vulnerability Assessment should be enabled on Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] + Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"serverVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"NotApplicable\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"501541f7-f7e7-4cd6-868c-4190fdad3ac9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1485 - Delivery And Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50301354-95d0-4a11-8af5-8039ecf6d38b\"},{\"properties\":{\"displayName\":\"Microsoft + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft + Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric - Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"506814fa-b930-4b10-894e-a45b98c40e1a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1566 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50ad3724-e2ac-4716-afcc-d8eabd97adb9\"},{\"properties\":{\"displayName\":\"A + Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft + Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway - connections\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that all Azure virtual network gateway connections use a custom - Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported - algorithms and key strengths - https://aka.ms/AA62kb0\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"IPsecEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec - Encryption\",\"description\":\"IPsec Encryption\"}},\"IPsecIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec - Integrity\",\"description\":\"IPsec Integrity\"}},\"IKEEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE - Encryption\",\"description\":\"IKE Encryption\"}},\"IKEIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE - Integrity\",\"description\":\"IKE Integrity\"}},\"DHGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"DH - Group\",\"description\":\"DH Group\"}},\"PFSGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"PFS - Group\",\"description\":\"PFS Group\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/connections\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption\",\"notIn\":\"[parameters('IPsecEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity\",\"notIn\":\"[parameters('IPsecIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption\",\"notIn\":\"[parameters('IKEEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity\",\"notIn\":\"[parameters('IKEIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].dhGroup\",\"notIn\":\"[parameters('DHGroup')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup\",\"notIn\":\"[parameters('PFSGroup')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50b83b09-03da-41c1-b656-c293c914862b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1248 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50fc602d-d8e0-444b-a039-ad138ee5deb0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1386 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5120193e-91fd-4f9d-bc6d-194f94734065\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1352 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"518cb545-bfa8-43f8-a108-3b7d5037469a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1642 - Network Disconnect\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53397227-5ee3-4b23-9e5e-c8a767ce6928\"},{\"properties\":{\"displayName\":\"Connection - throttling should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + connections","policyType":"BuiltIn","mode":"All","description":"This policy + ensures that all Azure virtual network gateway connections use a custom Internet + Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec + Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec + Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE + Encryption","description":"IKE Encryption"}},"IKEIntegrity":{"type":"Array","metadata":{"displayName":"IKE + Integrity","description":"IKE Integrity"}},"DHGroup":{"type":"Array","metadata":{"displayName":"DH + Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS + Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft + Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft + Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft + Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft + Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection + throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"connection_throttling\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5345bb39-67dc-4960-a1bf-427e16b9a0bd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1467 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5350cbf9-8bdd-4904-b22a-e88be84ca49d\"},{\"properties\":{\"displayName\":\"Microsoft + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft + Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, - Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5352e3e0-e63a-452e-9e5f-9c1d181cff9c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1029 - Information Flow Enforcement | Security Policy Filters\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53c76a39-2097-408a-b237-b279f7b4614d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1040 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"54205576-cec9-463f-ba44-b4b3f5d0a84c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1015 - Account Management | Disable Inactive Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"544a208a-9c3f-40bc-b1d1-d7e144495c14\"},{\"properties\":{\"displayName\":\"Microsoft + Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft + Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft + Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft + Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft + Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk - Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"55419419-c597-4cd4-b51e-009fd2266783\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1045 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1523 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5577a310-2551-49c8-803b-36e0d5e55601\"},{\"properties\":{\"displayName\":\"Microsoft + Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft + Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft + Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage - Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"562afd61-56be-4313-8fe4-b9564aa4ba7d\"},{\"properties\":{\"displayName\":\"Microsoft + Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management - / Application / Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"56d970ee-4efc-49c8-8a4e-5916940d784c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"57149289-d52b-4f40-9fe6-5233c1ef80f7\"},{\"properties\":{\"displayName\":\"CORS - should not allow every resource to access your Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft + Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5744710e-cc2f-4ee8-8809-3b11e89f4bc9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1162 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1054 - Session Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5807e1b4-ba5e-4718-8689-a0ca05a191b2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1584 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5864522b-ff1d-4979-a9f8-58bee1fb174c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1547 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1573 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58c93053-7b98-4cf0-b99f-1beb985416c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Ensure Function app is using the latest version of TLS encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft + Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft + Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft + Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft + Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft + Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: + Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58d94fc1-a072-47c2-bd37-9cdb38e77453\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1063 - Remote Access | Managed Access Control Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"593ce201-54b2-4dd0-b34f-c308005d7780\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1463 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"59721f87-ae25-4db0-a2a4-77cc5b25d495\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1425 - Timely Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5983d99c-f39b-4c32-a3dc-170f19f6941b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1512 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5a8324ad-f599-429b-aaed-f9c6e8c987a8\"},{\"properties\":{\"displayName\":\"[Preview]: + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft + Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft + Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age - of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have a minimum password age - of 1 day. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa11bbc-5c76-4302-80e5-aba46a4282e7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1032 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa85661-d618-46b8-a20f-ca40a86f0751\"},{\"properties\":{\"displayName\":\"[Preview]: + of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have a minimum password age of 1 day. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password - length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aebc8d1-020d-4037-89a0-02043a7524ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1555 - Vulnerability Scanning | Privileged Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5afa8cab-1ed7-4e40-884c-64e0ac2059cc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1205 - Access Restrictions For Change | Signed Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b070cab-0fb8-4e48-ad29-fc90b4c2797c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1005 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b626abc-26d4-4e22-9de8-3831818526b1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1105 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b73f57b-587d-4470-a344-0b0ae805f459\"},{\"properties\":{\"displayName\":\"Show - audit results from Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft + Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft + Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft + Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show + audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b842acb-0fe7-41b0-9f40-880ec4ad84d8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1433 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b879b41-2728-41c5-ad24-9ee2c37cbe65\"},{\"properties\":{\"displayName\":\"Ensure - WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb220d9-2698-4ee4-8404-b9c30c9df609\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure + WEB app has ''Client Certificates (Incoming client certificates)'' set to + ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection - status does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + status does not match the specified one","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"host\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Remote Host Name\",\"description\":\"Specifies the Domain Name System (DNS) - name or IP address of the remote host machine.\"}},\"port\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Port\",\"description\":\"The TCP port number on the remote host name.\"}},\"shouldConnect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Should connect to remote host\",\"description\":\"Must be 'True' or 'False'. - 'True' indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. 'False' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection.\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsRemoteConnection]WindowsRemoteConnection1;host', - '=', parameters('host'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;port', - '=', parameters('port'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect', - '=', parameters('shouldConnect')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsRemoteConnection\"},\"host\":{\"value\":\"[parameters('host')]\"},\"port\":{\"value\":\"[parameters('port')]\"},\"shouldConnect\":{\"value\":\"[parameters('shouldConnect')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"host\":{\"type\":\"string\"},\"port\":{\"type\":\"string\"},\"shouldConnect\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb36dda-8a78-4df9-affd-4f05a8612a8a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1551 - Vulnerability Scanning | Update Tool Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bbda922-0172-4095-89e6-5b4a0bf03af7\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', + ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', + ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft + Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Network Security''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Network Security'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c028d2a-1889-45f6-b821-31f42711ced8\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + category: ''Security Options - Network Security''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1671 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5bbef7-a316-415b-9b38-29753ce8e698\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1067 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5e54f6-0127-44d0-8b61-f31dc8dd6190\"},{\"properties\":{\"displayName\":\"External - accounts with write permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft + Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft + Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External + accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c607a2e-c700-4744-8254-d77e7c9eb5e4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1483 - Water Damage Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5cb81060-3c8a-4968-bcdc-395a1801f6c1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1362 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5d169442-d6ef-439b-8dca-46c2c3248214\"},{\"properties\":{\"displayName\":\"Microsoft + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft + Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft + Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency - Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5dee936c-8037-4df1-ab35-6635733da48c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1665 - Process Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df3a55c-8456-44d4-941e-175f79332512\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Function App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft + Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: + Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForFunctionApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df82f4f-773a-4a2d-97a2-422a806f1a55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1251 - Contingency Plan | Coordinate With Related Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e2b3730-8c14-4081-8893-19dbb5de7348\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\"},{\"properties\":{\"displayName\":\"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications - installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have the specified applications - installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e393799-e3ca-4e43-a9a5-0ec4648a57d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1116 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e47bc51-35d1-44b8-92af-e2f2d8b67635\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1208 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ea87673-d06b-456f-a324-8abcee5c159f\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in India data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + installed","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have the specified applications installed. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft + Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"westindia\",\"southindia\",\"centralindia\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), - '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), - '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\"},{\"properties\":{\"displayName\":\"Microsoft + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), + ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information - For Security Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f18c885-ade3-48c5-80b1-8f9216019c18\"},{\"properties\":{\"displayName\":\"External - accounts with read permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External + accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f76cf89-fbf2-47fd-a3f4-b891fa780b60\"},{\"properties\":{\"displayName\":\"Add - or replace a tag on resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add + or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ffd78d9-436d-4b41-a421-5baa819e3008\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1663 - Protection Of Information At Rest\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60171210-6dde-40af-a144-bf2670518bfa\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft + Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Object Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Object Access'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60aeaf73-a074-417a-905f-7ce9df0ff77b\"},{\"properties\":{\"displayName\":\"Storage - Accounts should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''System Audit Policies - Object Access''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60d21c4f-21a3-4d94-85f4-b924e6aeeda4\"},{\"properties\":{\"displayName\":\"Show + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication - protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows web servers that are not using secure communication protocols - (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60ffe3e2-4604-4460-8f22-0f1da058266c\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Data Security on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + protocols","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + web servers that are not using secure communication protocols (TLS 1.1 or + TLS 1.2). For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a 'sqlva' prefix.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"serverResourceGroupName\":\"[resourceGroup().name]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), - variables('serverResourceGroupName'), parameters('location'))]\",\"storageName\":\"[tolower(concat('sqlva', - variables('uniqueStorage')))]\"},\"resources\":[{\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[variables('storageName')]\",\"apiVersion\":\"2019-04-01\",\"location\":\"[parameters('location')]\",\"sku\":{\"name\":\"Standard_LRS\"},\"kind\":\"StorageV2\",\"properties\":{}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"apiVersion\":\"2018-06-01-preview\",\"properties\":{\"storageContainerPath\":\"[concat(reference(resourceId('Microsoft.Storage/storageAccounts', - variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]\",\"storageAccountAccessKey\":\"[listKeys(resourceId('Microsoft.Storage/storageAccounts', - variables('storageName')), '2018-02-01').keys[0].value]\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true,\"emails\":[]}},\"dependsOn\":[\"[concat('Microsoft.Storage/storageAccounts/', - variables('storageName'))]\",\"[concat('Microsoft.Sql/servers/', parameters('serverName'), - '/securityAlertPolicies/Default')]\"]}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6134c3db-786f-471e-87bc-8f479dc890f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Configure time zone on Windows machines.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', + variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/vulnerabilityAssessments","apiVersion":"2018-06-01-preview","properties":{"storageContainerPath":"[concat(reference(resourceId(''Microsoft.Storage/storageAccounts'', + variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', + variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', + variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Time zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) - International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) - Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) - Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja - California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific - Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, - Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central - America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter - Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) - Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) - Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) - Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) - Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) - Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) - Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) - Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos - Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) - Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) - Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) - Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) - Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) - Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, - Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, - Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) - Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) - Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) - Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, - Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, - Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) - Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) - Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) - Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) - Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) - Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) - Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) - Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) - Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) - Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) - Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) - Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, - Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) - Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong - Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) - Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) - Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) - Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) - Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, - Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) - Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) - Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) - Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) - Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) - Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham - Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) - Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"SetWindowsTimeZone\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', - '=', parameters('TimeZone')))]\"},{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"SetWindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6141c932-9384-44c6-a395-59e4c057d7c9\"},{\"properties\":{\"displayName\":\"Service - Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Service + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) + Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) + Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) + Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) + Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time + (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US + & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, + Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio + Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) + Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks + and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) + Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San + Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) + Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) + Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) + Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated + Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) + Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, + Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) + Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) + Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, + Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) + West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) + Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) + Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, + Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) + Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) + Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, + St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu + Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) + Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) + Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) + Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) + Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) + Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) + Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, + Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) + Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, + Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, + Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) + Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) + Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) + Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) + Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) + Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) + Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) + Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) + Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) + Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) + Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9","type":"Microsoft.Authorization/policyDefinitions","name":"6141c932-9384-44c6-a395-59e4c057d7c9"},{"properties":{"displayName":"Service + Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","policyType":"BuiltIn","mode":"Indexed","description":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service - Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].name\",\"notEquals\":\"Security\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name\",\"notEquals\":\"ClusterProtectionLevel\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value\",\"notEquals\":\"EncryptAndSign\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"617c02be-7f02-4efd-8836-3180d47b6c68\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1110 - Audit Storage Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1415 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61a1dd98-b259-4840-abd5-fbba7ee0da83\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1153 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61cf3125-142c-4754-8a16-41ab4d529635\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft + Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft + Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + System objects''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - System objects'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"620e58b5-ac75-49b4-993f-a9d4f0459636\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"62b638c5-29d7-404b-8d93-f21e4b1ce198\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1660 - Session Authenticity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63096613-ce83-43e5-96f4-e588e8813554\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1002 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"632024c2-8079-439d-a7f6-90af1d78cc65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1498 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"633988b9-cf2f-4323-8394-f0d2af9cd6e1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1177 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1185 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6420cd73-b939-43b7-9d99-e8688fea053c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Devices'. It also creates a system-assigned managed identity and deploys the - VM extension for Guest Configuration. This policy should only be used along - with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Devices: Allowed to format and eject removable media\",\"description\":\"Specifies + category: ''Security Options - System objects''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft + Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft + Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft + Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft + Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''Security Options - + Devices''. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer - to access it on another computer on which they have local administrator privileges.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Devices: - Allowed to format and eject removable media;ExpectedValue', '=', parameters('DevicesAllowedToFormatAndEjectRemovableMedia')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsDevices\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: - Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: - Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6481cc21-ed6e-4480-99dd-ea7c5222e897\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1441 - Media Sanitization | Equipment Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6519d7f3-e8a2-4ff3-a935-9a9497152ad7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65592b16-4367-42c5-a26e-d371be450e17\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit missing blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft + Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft + Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: + Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"655cb504-bcee-4362-bd4c-402e6aa38759\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1261 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65aeceb5-a59c-4cb1-8d82-9c474be5d431\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"664346d9-be92-43fb-a219-d595eeb76a90\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1444 - Media Use | Prohibit Use Without Owner\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"666143df-f5e0-45bd-b554-135f0f93e44e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1319 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"66f7ae57-5560-4fc5-85c9-659f204e7a42\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1628 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"67de62b4-a737-4781-8861-3baed3c35069\"},{\"properties\":{\"displayName\":\"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft + Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft + Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External - Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68434bd1-e14b-4031-9edb-a4adf5f84a67\"},{\"properties\":{\"displayName\":\"[Preview]: + Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent - is not connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Connected workspace IDs\",\"description\":\"A semicolon-separated list of - the workspace IDs that the Log Analytics agent should be connected to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId', - '=', parameters('WorkspaceId')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsLogAnalyticsAgentConnection\"},\"WorkspaceId\":{\"value\":\"[parameters('WorkspaceId')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WorkspaceId\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68511db2-bd02-41c4-ae6b-1900a012968a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1597 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68b250ec-2e4f-4eee-898a-117a9fda7016\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1588 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68ebae26-e0e0-4ecb-8379-aabf633b51e9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1070 - Wireless Access | Disable Wireless Networking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68f837d0-8942-4b1e-9b31-be78b247bda8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1727 - Memory Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"697175a7-9715-4e89-b98b-c6f605888fa3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1652 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6998e84a-2d29-4e10-8962-76754d4f772d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1699 - Information System Monitoring | Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69c7bee8-bc19-4129-a51e-65a7b39d3e7c\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft + Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft + Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft + Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft + Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft + Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft + Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69d2a238-20ab-4206-a6dc-f302bf88b1b8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1244 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a13a8f8-c163-4b1b-8554-d63569dab937\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1019 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a3ee9b2-3977-459c-b8ce-2db583abd9f7\"},{\"properties\":{\"displayName\":\"[Preview]: + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft + Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft + Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit - Guard is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NotAvailableMachineState\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: State in which to show VMs on which Windows Defender Exploit Guard is not - available\",\"description\":\"Windows Defender Exploit Guard is only available + available","description":"Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value - to 'Non-Compliant' will make machines with older versions on which Windows + to ''Non-Compliant'' will make machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. - Setting this value to 'Compliant' will make these machines compliant.\"},\"allowedValues\":[\"Compliant\",\"Non-Compliant\"],\"defaultValue\":\"Non-Compliant\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState', - '=', parameters('NotAvailableMachineState')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDefenderExploitGuard\"},\"NotAvailableMachineState\":{\"value\":\"[parameters('NotAvailableMachineState')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NotAvailableMachineState\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit IP restrictions configuration for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","type":"Microsoft.Authorization/policyDefinitions","name":"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d"},{"properties":{"displayName":"[Deprecated]: + Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8450e2-6c61-43b4-be65-62e3a197bffe\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1211 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8b9dc8-6b00-4701-aa96-bba3277ebf50\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Ensure WEB app is using the latest version of TLS encryption \",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: + Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ad61431-88ce-4357-a0e1-6da43f292bd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1653 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\"},{\"properties\":{\"displayName\":\"Deprecated - accounts should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated + accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1cbf55-e8b6-442f-ba4c-7246b6381474\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Service Bus to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b51af03-9277-49a9-a3f8-1c69c9ff7403\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1031 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b93a801-fe25-4574-a60d-cb22acffae00\"},{\"properties\":{\"displayName\":\"Not - allowed resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft + Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not + allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesNotAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of resource types that cannot be deployed.\",\"displayName\":\"Not allowed - resource types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesNotAllowed')]\"},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\"},{\"properties\":{\"displayName\":\"Microsoft + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + list of resource types that cannot be deployed.","displayName":"Not allowed + resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password - Strength Determination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c59a207-6aed-41dc-83a2-e1ff66e4a4db\"},{\"properties\":{\"displayName\":\"Microsoft + Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local - Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1437 - Media Transport | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\"},{\"properties\":{\"displayName\":\"Microsoft + Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft + Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent - Or Team\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d4820bc-8b61-4982-9501-2123cb776c00\"},{\"properties\":{\"displayName\":\"Function - App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function + App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1643 - Cryptographic Key Establishment And Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8d492c-dd7a-46f7-a723-fa66a425b87c\"},{\"properties\":{\"displayName\":\"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft + Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability - / Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1175 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6dab4254-c30d-4bb7-ae99-1d21586c063c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1651 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6db63528-c9ba-491c-8a80-83e1e6977a50\"},{\"properties\":{\"displayName\":\"Email - notification for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft + Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft + Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email + notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertNotifications\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e2593d9-add6-4083-9c9b-4b7d2188c899\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1586 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e3b2fbd-8f37-4766-a64d-3f37703dcb51\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1536 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e40d9de-2ad4-4cb5-8945-23143326a502\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1530 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e8f9566-29f1-49cd-b61f-f8628a3cf993\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1460 - Access Control For Output Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f3ce1bb-4f77-4695-8355-70b08d54fdda\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1320 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f54c732-71d4-4f93-a696-4e373eca3a77\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdb9205-3462-4cfc-87d8-16c7860b53f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1141 - Audit Generation | Changes By Authorized Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdefbf4-93e7-4513-bc95-c1858b7093e0\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft + Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft + Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft + Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft + Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft + Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Microsoft Network Server'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + category: ''Security Options - Microsoft Network Server''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7008174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Windows Components'. + with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Send file samples when further analysis is required\",\"description\":\"Specifies - whether and how Windows Defender will submit samples of suspected malware - \ to Microsoft for further analysis when opt-in for MAPS telemetry is set.\"},\"defaultValue\":\"1\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow indexing of encrypted files\",\"description\":\"Specifies whether encrypted - items are allowed to be indexed.\"},\"defaultValue\":\"0\"},\"AllowTelemetry\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow Telemetry\",\"description\":\"Specifies configuration of the amount - of diagnostic and usage data reported to Microsoft. The data is transmitted - securely and sensitive data is not sent.\"},\"defaultValue\":\"2\"},\"AllowUnencryptedTraffic\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow unencrypted traffic\",\"description\":\"Specifies whether the Windows - Remote Management (WinRM) service sends and receives unencrypted messages - over the network.\"},\"defaultValue\":\"0\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always install with elevated privileges\",\"description\":\"Specifies whether + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic + and usage data reported to Microsoft. The data is transmitted securely and + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether Windows Installer should use system permissions when it installs any program - on the system.\"},\"defaultValue\":\"0\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Always prompt for password upon connection\",\"description\":\"Specifies whether + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer - for a password upon connection.\"},\"defaultValue\":\"1\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Application: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Application event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Automatically send memory dumps for OS-generated error reports\",\"description\":\"Specifies + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically.\"},\"defaultValue\":\"1\"},\"ConfigureDefaultConsent\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Configure Default consent\",\"description\":\"Specifies setting of the default - consent handling for error reports sent to Microsoft.\"},\"defaultValue\":\"4\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Configure Windows SmartScreen\",\"description\":\"Specifies how to manage - the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run - on PCs with this feature enabled.\"},\"defaultValue\":\"1\"},\"DisallowDigestAuthentication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Disallow Digest authentication\",\"description\":\"Specifies whether the Windows - Remote Management (WinRM) client will not use Digest authentication.\"},\"defaultValue\":\"0\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Disallow WinRM from storing RunAs credentials\",\"description\":\"Specifies - whether the Windows Remote Management (WinRM) service will not allow RunAs - credentials to be stored for any plug-ins.\"},\"defaultValue\":\"1\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Do not allow passwords to be saved\",\"description\":\"Specifies whether to - prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer.\"},\"defaultValue\":\"1\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Security: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Security event log in kilobytes.\"},\"defaultValue\":\"196608\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Set client connection encryption level\",\"description\":\"Specifies whether - to require the use of a specific encryption level to secure communications - between client computers and RD Session Host servers during Remote Desktop - Protocol (RDP) connections. This policy only applies when you are using native - RDP encryption.\"},\"defaultValue\":\"3\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Set the default behavior for AutoRun\",\"description\":\"Specifies the default + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent + Remote Desktop Services - Terminal Services clients from saving passwords + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines.\"},\"defaultValue\":\"1\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Setup: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the Setup event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - System: Specify the maximum log file size (KB)\",\"description\":\"Specifies - the maximum size for the System event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn off Data Execution Prevention for Explorer\",\"description\":\"Specifies + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer.\"},\"defaultValue\":\"0\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Specify the interval to check for definition updates\",\"description\":\"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies an interval at which to check for Windows Defender definition updates. The - time value is represented as the number of hours between update checks.\"},\"defaultValue\":\"8\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Send - file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), - ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), - ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', - 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), - ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), - ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), - ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', - '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically - send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), - ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), - ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), - ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), - ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), - ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), - ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', - parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection - encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), - ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), - ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), - ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', - parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution - Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), - ',', 'Specify the interval to check for definition updates;ExpectedValue', - '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsComponents\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},\"AllowIndexingOfEncryptedFiles\":{\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},\"AllowTelemetry\":{\"value\":\"[parameters('AllowTelemetry')]\"},\"AllowUnencryptedTraffic\":{\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},\"AlwaysInstallWithElevatedPrivileges\":{\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},\"AlwaysPromptForPasswordUponConnection\":{\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},\"ConfigureDefaultConsent\":{\"value\":\"[parameters('ConfigureDefaultConsent')]\"},\"ConfigureWindowsSmartScreen\":{\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},\"DisallowDigestAuthentication\":{\"value\":\"[parameters('DisallowDigestAuthentication')]\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},\"DoNotAllowPasswordsToBeSaved\":{\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},\"SetClientConnectionEncryptionLevel\":{\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},\"SetTheDefaultBehaviorForAutoRun\":{\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"string\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"string\"},\"AllowTelemetry\":{\"type\":\"string\"},\"AllowUnencryptedTraffic\":{\"type\":\"string\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"string\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"string\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"string\"},\"ConfigureDefaultConsent\":{\"type\":\"string\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"string\"},\"DisallowDigestAuthentication\":{\"type\":\"string\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"string\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"string\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"string\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"string\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"string\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send - file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow - indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow - Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow - unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always - install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always - prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically - send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure - Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure - Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow - Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow - WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do - not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set - client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set - the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn - off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify - the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send - file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow - indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow - Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow - unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always - install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always - prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically - send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure - Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure - Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow - Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow - WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do - not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set - client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set - the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: - Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn - off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify - the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7040a231-fb65-4412-8c0a-b365f4866c24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"704e136a-4fe0-427c-b829-cd69957f5d2b\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - System'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7066131b-61a6-4917-a7e4-72e8983f0aa6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1509 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70792197-9bfc-4813-905a-bd33993e327f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1541 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70f6af82-7be6-44aa-9b15-8b9231b2e434\"},{\"properties\":{\"displayName\":\"Microsoft + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), + '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), + '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), + '','', ''Allow unencrypted traffic;ExpectedValue'', ''='', parameters(''AllowUnencryptedTraffic''), + '','', ''Always install with elevated privileges;ExpectedValue'', ''='', parameters(''AlwaysInstallWithElevatedPrivileges''), + '','', ''Always prompt for password upon connection;ExpectedValue'', ''='', + parameters(''AlwaysPromptForPasswordUponConnection''), '','', ''Application: + Specify the maximum log file size (KB);ExpectedValue'', ''='', parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB''), + '','', ''Automatically send memory dumps for OS-generated error reports;ExpectedValue'', + ''='', parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports''), + '','', ''Configure Default consent;ExpectedValue'', ''='', parameters(''ConfigureDefaultConsent''), + '','', ''Configure Windows SmartScreen;ExpectedValue'', ''='', parameters(''ConfigureWindowsSmartScreen''), + '','', ''Disallow Digest authentication;ExpectedValue'', ''='', parameters(''DisallowDigestAuthentication''), + '','', ''Disallow WinRM from storing RunAs credentials;ExpectedValue'', ''='', + parameters(''DisallowWinRMFromStoringRunAsCredentials''), '','', ''Do not + allow passwords to be saved;ExpectedValue'', ''='', parameters(''DoNotAllowPasswordsToBeSaved''), + '','', ''Security: Specify the maximum log file size (KB);ExpectedValue'', + ''='', parameters(''SecuritySpecifyTheMaximumLogFileSizeKB''), '','', ''Set + client connection encryption level;ExpectedValue'', ''='', parameters(''SetClientConnectionEncryptionLevel''), + '','', ''Set the default behavior for AutoRun;ExpectedValue'', ''='', parameters(''SetTheDefaultBehaviorForAutoRun''), + '','', ''Setup: Specify the maximum log file size (KB);ExpectedValue'', ''='', + parameters(''SetupSpecifyTheMaximumLogFileSizeKB''), '','', ''System: Specify + the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), + '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', + ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft + Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - System''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''System + Audit Policies - System''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft + Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For - Real-Time Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71475fb4-49bd-450b-a1a5-f63894c24725\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1481 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"717a1c78-a267-4f56-ac58-ee6c54dc4339\"},{\"properties\":{\"displayName\":\"Microsoft + Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft + Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time - Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71bb965d-4047-4623-afd4-b8189a58df5d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1395 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7207a023-a517-41c5-9df2-09d4c6845a05\"},{\"properties\":{\"displayName\":\"[Preview]: + Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft + Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not - compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows VMs on which the Desired State Configuration (DSC) configuration - is not compliant. This policy is only applicable to machines with WMF 4 and - above. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7227ebe5-9ff7-47ab-b823-171cd02fb90f\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - Network'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7229bd6a-693d-478a-87f0-1dc1af06f3b8\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + compliant","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + VMs on which the Desired State Configuration (DSC) configuration is not compliant. + This policy is only applicable to machines with WMF 4 and above. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - Network''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Administrative + Templates - Network''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7238174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the WEB app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7238174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the WEB app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7261b898-8a84-4db8-9e04-18527132abb3\"},{\"properties\":{\"displayName\":\"[Preview]: + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","type":"Microsoft.Authorization/policyDefinitions","name":"7261b898-8a84-4db8-9e04-18527132abb3"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous - 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + 24 passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"EnforcePasswordHistory\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726671ac-c4de-4908-8c7d-6043ae62e3b6\"},{\"properties\":{\"displayName\":\"Add - a tag to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","type":"Microsoft.Authorization/policyDefinitions","name":"726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"properties":{"displayName":"Add + a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726aca4c-86e9-4b04-b0c5-073027359532\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1524 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"72f1cb4e-2439-4fe8-88ea-b8671ce3c268\"},{\"properties\":{\"displayName\":\"Microsoft + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft + Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized - Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"731856d8-1598-4b75-92de-7d46235747c0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1101 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7327b708-f0e0-457d-9d2a-527fcc9c9a65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1456 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"733ba9e3-9e7c-440a-a7aa-6196a90a2870\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1581 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"742b549b-7a25-465f-b83c-ea1ffb4f4e0e\"},{\"properties\":{\"displayName\":\"Allowed - storage account SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft + Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft + Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft + Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed + storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of SKUs that can be specified for storage accounts.\",\"displayName\":\"Allowed - SKUs\",\"strongType\":\"StorageSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7433c107-6db4-4ad1-b57a-a76dce0154a1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\"},{\"properties\":{\"displayName\":\"Ensure - that 'Python version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + list of SKUs that can be specified for storage accounts.","displayName":"Allowed + SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft + Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure + that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux - Latest Python version\",\"description\":\"Latest supported Python version - for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', - parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74c3584d-afae-46f7-a20a-6f8adba71a16\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7522ed84-70d5-4181-afc0-21e50b1b6d0e\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit enabling of diagnostic logs in App Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.6"},"LinuxPythonLatestVersion":{"type":"String","metadata":{"displayName":"Linux + Latest Python version","description":"Latest supported Python version for + App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', + parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft + Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App - Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites/config\"},{\"field\":\"name\",\"equals\":\"web\"},{\"anyOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"notEquals\":\"true\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"752c6934-9bcc-4749-b004-655e676ae2ac\"},{\"properties\":{\"displayName\":\"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance - / Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75603f96-80a1-4757-991d-5a1221765ddd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1053 - Session Lock | Pattern-Hiding Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7582b19c-9dba-438e-aed8-ede59ac35ba3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1459 - Access Control For Transmission Medium\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\"},{\"properties\":{\"displayName\":\"Vulnerabilities - should be remediated by a Vulnerability Assessment solution\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + / Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft + Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft + Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities + should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"vulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"760a85ff-6162-42b3-8d70-698e268f648c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy Dependency Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: + Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), - '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"765266ab-e40e-4c61-bcb2-5a5275d0b7c0\"},{\"properties\":{\"displayName\":\"Microsoft + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), + ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message - Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"769efd9b-3587-4e22-90ce-65ddcd5bd969\"},{\"properties\":{\"displayName\":\"Audit - delegation of scopes to a managing tenant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Lighthouse\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ManagedServices/registrationAssignments\"},{\"value\":\"true\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76bed37b-484f-430f-a009-fd7592dff818\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1058 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76e85d08-8fbb-4112-a1c1-93521e6a9254\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1508 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76f500cc-4bca-4583-bda1-6d084dc21086\"},{\"properties\":{\"displayName\":\"Microsoft + Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit + delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft + Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft + Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate - Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7741669e-d4f6-485a-83cb-e70ce7cbbc20\"},{\"properties\":{\"displayName\":\"Azure - subscriptions should have a log profile for Activity Log\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"field\":\"Microsoft.Insights/logProfiles/categories\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7796937f-307b-4598-941c-67d3a05ebfe7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1336 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"77f56280-e367-432a-a3b9-8ca2aa636a26\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1258 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7814506c-382c-4d33-a142-249dd4a0dbff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1178 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7818b8f4-47c6-441a-90ae-12ce04e99893\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1057 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78255758-6d45-4bf0-a005-7016bc03b13c\"},{\"properties\":{\"displayName\":\"Microsoft + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft + Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft + Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft + Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft + Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network - Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1010 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"784663a8-1eb0-418a-a98c-24d19bc1bb62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1216 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7894fe6a-f5cb-44c8-ba90-c3f254ff9484\"},{\"properties\":{\"displayName\":\"Microsoft + Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft + Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft + Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System - Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78e8e649-50f6-4fe3-99ac-fedc2e63b03f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1647 - Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"791cfc15-6974-42a0-9f4c-2d4b82f4a78c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1510 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79da5b09-0e7e-499e-adda-141b069c7998\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1384 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79fbc228-461c-4a45-9004-a865ca0728a7\"},{\"properties\":{\"displayName\":\"Deploy + Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft + Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft + Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft + Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console - is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"EMSPortNumber\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS - Port Number\",\"description\":\"An integer indicating the COM port to be used + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"1\",\"2\",\"3\",\"4\"],\"defaultValue\":\"1\"},\"EMSBaudRate\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS - Baud Rate\",\"description\":\"An integer indicating the baud rate to be used - for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"9600\",\"19200\",\"38400\",\"57600\",\"115200\"],\"defaultValue\":\"115200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber', - '=', parameters('EMSPortNumber'), ',', '[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate', - '=', parameters('EMSBaudRate')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsSerialConsole\"},\"EMSPortNumber\":{\"value\":\"[parameters('EMSPortNumber')]\"},\"EMSBaudRate\":{\"value\":\"[parameters('EMSBaudRate')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EMSPortNumber\":{\"type\":\"string\"},\"EMSBaudRate\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a031c68-d6ab-406e-a506-697a19c634b0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1093 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1708 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a1e2c88-13de-4959-8ee7-47e3d74f1f48\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1289 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a724864-956a-496c-b778-637cb1d762cf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1687 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a87fc7f-301e-49f3-ba2a-4d74f424fa97\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1061 - Remote Access | Automated Monitoring / Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ac22808-a2e8-41c4-9d46-429b50738914\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1492 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ad5f307-e045-46f7-8214-5bdb7e973737\"},{\"properties\":{\"displayName\":\"Microsoft + information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS + Baud Rate","description":"An integer indicating the baud rate to be used for + the Emergency Management Services (EMS) console redirection. For more information + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', + ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft + Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft + Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft + Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft + Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft + Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft + Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / - Mechanisms / Support Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7b694eed-7081-43c6-867c-41c76c961043\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Virtual Machine Scale Sets should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic + logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"IaaSDiagnostics\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Diagnostics\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"LinuxDiagnostic\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"in\":[\"Microsoft.OSTCExtensions\",\"Microsoft.Azure.Diagnostics\"]}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c1b1214-f927-48bf-8882-84f0af6588b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Require blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Storage\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1143 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c6de11b-5f51-4f7c-8d83-d2467c8a816e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1051 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1279 - Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\"},{\"properties\":{\"displayName\":\"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft + Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft + Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of - Planned Audit Record Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1201 - Security Impact Analysis | Separate Test Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7daef997-fdd3-461b-8807-a608a6dd70f1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1471 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7dd0e9ce-1772-41fb-a50a-99977071f916\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft + Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft + Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show + audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e56b49b-5990-4159-a734-511ea19b731c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1011 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e6a54f3-883f-43d5-87c4-172dfd64a1f5\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified - number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that have not restarted within the specified - number of days. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e84ba44-6d03-46fd-950e-5efa5a1112fa\"},{\"properties\":{\"displayName\":\"Microsoft + number of days","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that have not restarted within the specified number of days. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound - Communications Traffic\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ecda928-9df4-4dd7-8f44-641a91e470e8\"},{\"properties\":{\"displayName\":\"[Preview]: + Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity - setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordMustMeetComplexityRequirements\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f26a61b-a74d-467c-99cf-63644db144f7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1520 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f2c513b-eb16-463b-b469-c10e5fa94f0a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f37f71b-420f-49bf-9477-9c0196974ecf\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft + Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft + Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Privilege Use'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\"},{\"properties\":{\"displayName\":\"Audit - diagnostic setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - diagnostic setting for selected resource types\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfResourceTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - Types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypes')]\"},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f89b1eb-583c-429a-8828-af049802c1d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7fbfe680-6dbb-4037-963c-a621c5635902\"},{\"properties\":{\"displayName\":\"SQL + category: ''System Audit Policies - Privilege Use''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft + Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical - activities\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"The - AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, + activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups + property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"FAILED_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"BATCH_COMPLETED_GROUP\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ff426e2-515f-405a-91c8-4f2333442eb5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1703 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"804faf7d-b687-40f7-9f74-79e28adf4205\"},{\"properties\":{\"displayName\":\"Microsoft + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft + Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local - Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"80ca0a27-918a-4604-af9e-723a27ee51e8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1505 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"813a10a7-3943-4fe3-8678-00dc52db5490\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1614 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8154e3b3-cc52-40be-9407-7756581d71f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft + Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'User Rights Assignment'. + with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may access this computer from the network\",\"description\":\"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. - This does not include Remote Desktop Connection.\"},\"defaultValue\":\"Administrators, - Authenticated Users\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may log on locally\",\"description\":\"Specifies which - users or groups can interactively log on to the computer. Users who attempt - to log on via Remote Desktop Connection or IIS also require this user right.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may log on through Remote Desktop Services\",\"description\":\"Specifies + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, - Remote Desktop, or for Remote Assistance.\"},\"defaultValue\":\"Administrators, - Remote Desktop Users\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied access to this computer from the network\",\"description\":\"Specifies + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network.\"},\"defaultValue\":\"Guests\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may manage auditing and security log\",\"description\":\"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may back up files and directories\",\"description\":\"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may change the system time\",\"description\":\"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies which users and groups are permitted to change the time and date on the internal - clock of the computer.\"},\"defaultValue\":\"Administrators, LOCAL SERVICE\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may change the time zone\",\"description\":\"Specifies - which users and groups are permitted to change the time zone of the computer.\"},\"defaultValue\":\"Administrators, - LOCAL SERVICE\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may create a token object\",\"description\":\"Specifies - which users and groups are permitted to create an access token, which may - provide elevated rights to access sensitive data.\"},\"defaultValue\":\"No - One\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied logging on as a batch job\",\"description\":\"Specifies + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task).\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied logging on as a service\",\"description\":\"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied local logon\",\"description\":\"Specifies - which users and groups are explicitly not permitted to log on to the computer.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that are denied log on through Remote Desktop Services\",\"description\":\"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client.\"},\"defaultValue\":\"Guests\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - User and groups that may force shutdown from a remote system\",\"description\":\"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network.\"},\"defaultValue\":\"Administrators\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that may restore files and directories\",\"description\":\"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users and groups that may shut down the system\",\"description\":\"Specifies - which users and groups who are logged on locally to the computers in your - environment are permitted to shut down the operating system with the Shut - Down command.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Users or groups that may take ownership of files or other objects\",\"description\":\"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user.\"},\"defaultValue\":\"Administrators\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Access - this computer from the network;ExpectedValue', '=', parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'), - ',', 'Allow log on locally;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnLocally'), - ',', 'Allow log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'), - ',', 'Deny access to this computer from the network;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'), - ',', 'Manage auditing and security log;ExpectedValue', '=', parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'), - ',', 'Back up files and directories;ExpectedValue', '=', parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'), - ',', 'Change the system time;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheSystemTime'), - ',', 'Change the time zone;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheTimeZone'), - ',', 'Create a token object;ExpectedValue', '=', parameters('UsersOrGroupsThatMayCreateATokenObject'), - ',', 'Deny log on as a batch job;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'), - ',', 'Deny log on as a service;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'), - ',', 'Deny log on locally;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLocalLogon'), - ',', 'Deny log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'), - ',', 'Force shutdown from a remote system;ExpectedValue', '=', parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'), - ',', 'Restore files and directories;ExpectedValue', '=', parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'), - ',', 'Shut down the system;ExpectedValue', '=', parameters('UsersAndGroupsThatMayShutDownTheSystem'), - ',', 'Take ownership of files or other objects;ExpectedValue', '=', parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_UserRightsAssignment\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"string\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"string\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"string\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"string\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"string\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access - this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny - access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage - auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back - up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change - the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change - the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create - a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny - log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny - log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force - shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore - files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut - down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take - ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access - this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny - access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage - auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back - up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change - the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change - the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create - a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny - log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny - log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny - log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny - log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force - shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore - files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut - down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take - ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"815dcc9f-6662-43f2-9a03-1b83e9876f24\"},{\"properties\":{\"displayName\":\"Microsoft + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), + '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), + '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', + parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices''), '','', + ''Deny access to this computer from the network;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork''), + '','', ''Manage auditing and security log;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog''), + '','', ''Back up files and directories;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories''), + '','', ''Change the system time;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayChangeTheSystemTime''), + '','', ''Change the time zone;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayChangeTheTimeZone''), + '','', ''Create a token object;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayCreateATokenObject''), + '','', ''Deny log on as a batch job;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob''), + '','', ''Deny log on as a service;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService''), + '','', ''Deny log on locally;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatAreDeniedLocalLogon''), + '','', ''Deny log on through Remote Desktop Services;ExpectedValue'', ''='', + parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices''), + '','', ''Force shutdown from a remote system;ExpectedValue'', ''='', parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem''), + '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), + '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), + '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote - Access - Separate Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81817e1c-5347-48dd-965a-40159d008229\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1287 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"819dc6da-289d-476e-8500-7e341ef8677d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81f11e32-a293-4a58-82cd-134af52e2318\"},{\"properties\":{\"displayName\":\"Geo-redundant - backup should be enabled for Azure Database for MySQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82339799-d096-41ae-8538-b108becf0970\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1168 - Continuous Monitoring | Independent Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82409f9e-1f32-4775-bf07-b99d53a91b06\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1448 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"825d6494-e583-42f2-a3f2-6458e6f0004f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1452 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82c76455-4d3f-4e09-a654-22e592107e74\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1262 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"831e510e-db41-4c72-888e-a0621ab62265\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1008 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8356cfc6-507a-4d20-b818-08038011cd07\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Event Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft + Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft + Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft + Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft + Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft + Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft + Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft + Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic + logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Event - Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a214f7-d01a-484b-91a9-ed54470c9a6a\"},{\"properties\":{\"displayName\":\"Network - interfaces should not have public IPs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id\",\"notLike\":\"*\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a86a26-fd1f-447c-b59d-e51f44264114\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1382 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"841392b3-40da-4473-b328-4cde49db67b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1098 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84363adb-dde3-411a-9fc1-36b56737f822\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the Web - app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft + Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the Web + app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"843664e0-7563-41ee-a9cb-7522c382d2c4\"},{\"properties\":{\"displayName\":\"Microsoft + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review - And Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"845f6359-b764-4b40-b579-657aefe23c44\"},{\"properties\":{\"displayName\":\"Microsoft + And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical - Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84914fb4-12da-4c53-a341-a9fd463bed10\"},{\"properties\":{\"displayName\":\"Microsoft + Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. - Access To Non-Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84e622c8-4bed-417c-84c6-b2fb0dd73682\"},{\"properties\":{\"displayName\":\"Microsoft + Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage - Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"852981b4-a380-4704-aa1e-2e52d63445e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1580 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"854db8ac-6adf-42a0-bef3-b73f764f40b9\"},{\"properties\":{\"displayName\":\"Microsoft + Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) - | Acceptance Of Third-Party Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"855ced56-417b-4d74-9d5f-dd1bc81e22d6\"},{\"properties\":{\"displayName\":\"Microsoft + | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized - Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"85c32733-7d23-4948-88da-058e2c56b60f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1326 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8605fc00-1bf5-4fb3-984e-c95cec4f231d\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Microsoft Network Server'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86880e5c-df35-43c5-95ad-7e120635775e\"},{\"properties\":{\"displayName\":\"Deploy - SQL DB transparent data encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enables - transparent data encryption on SQL databases\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullDbName\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('fullDbName'), - '/current')]\",\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"apiVersion\":\"2014-04-01\",\"properties\":{\"status\":\"Enabled\"}}]},\"parameters\":{\"fullDbName\":{\"value\":\"[field('fullName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86a912f6-9a06-4e26-b447-11b16ba8659f\"},{\"properties\":{\"displayName\":\"System - updates should be installed on your machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Missing + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy + SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System + updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"systemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86b3d65f-7626-441e-b690-81a8b71cff60\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1507 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ccd1bf-e7ad-4851-93ce-6ec817469c1e\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft + Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86d97760-d216-4d81-a3ad-163087b2b6c3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1392 - Information Spillage Response | Post-Spill Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86dc819f-15e1-43f9-a271-41ae58d4cecc\"},{\"properties\":{\"displayName\":\"Microsoft + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft + Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments - / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ec7f9b-9478-40ff-8cfd-6a0d510081a8\"},{\"properties\":{\"displayName\":\"Microsoft + / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / - Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8713a0ed-0d1e-4d10-be82-83dffb39830e\"},{\"properties\":{\"displayName\":\"Require - specified tag\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces - existence of a tag. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"871b6d14-10aa-478d-b590-94f262ecfa99\"},{\"properties\":{\"displayName\":\"Microsoft + Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require + specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy - / Currency\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"874e7880-a067-42a7-bcbe-1a340f54c8cc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1635 - Boundary Protection | Host-Based Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft + Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - Control Panel'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87b590fe-4a1d-4697-ae74-d4fe72ab786c\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Administrative Templates - Control Panel''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical - Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87f7cd82-2e45-4d0f-9e2f-586b0962d142\"},{\"properties\":{\"displayName\":\"Microsoft + Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document - / Verify\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"881299bf-2a5b-4686-a1b2-321d33679953\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1356 - Incident Response Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8829f8f5-e8be-441e-85c9-85b72a5d0ef3\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft + Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy + prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names\",\"description\":\"A semicolon-separated list of the names of the applications - that should not be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent', - '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), - ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"not_installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: - [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"884b209a-963b-4520-8006-d20cb3c213e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1317 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8877f519-c166-47b7-81b7-8a8eb4ff3775\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1501 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88817b58-8472-4f6c-81fa-58ce42b67f51\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names","description":"A semicolon-separated list of the names of the applications + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', + '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: + ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft + Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft + Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88999f4c-376a-45c8-bcb3-4058f713cf39\"},{\"properties\":{\"displayName\":\"Network - interfaces should disable IP forwarding\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","type":"Microsoft.Authorization/policyDefinitions","name":"88999f4c-376a-45c8-bcb3-4058f713cf39"},{"properties":{"displayName":"Network + interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting - of IP forwarding disables Azure's check of the source and destination for - a network interface. This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"field\":\"Microsoft.Network/networkInterfaces/enableIpForwarding\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88c0b9da-ce96-4b03-9635-f29a937e2900\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1215 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88fc93e8-4745-4785-b5a5-b44bb92c44ff\"},{\"properties\":{\"displayName\":\"SQL + of IP forwarding disables Azure''s check of the source and destination for + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 - days.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL servers configured with an auditing retention period of less than 90 days.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/retentionDays\",\"greater\":90}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"89099bee-89e0-4b26-a5f4-165451757743\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1411 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"898d4fe8-f743-4333-86b7-0c9245d93e7d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1092 - Security Awareness Training | Insider Threat\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a29d47b-8604-4667-84ef-90d203fcb305\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft + Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + System settings''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - System settings'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a39d1f1-5513-4628-b261-f469a5a3341b\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + category: ''Security Options - System settings''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b0de57a-f511-4d45-a277-17cb79cb163b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1534 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b2b263e-cd05-4488-bcbf-4debec7a17d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1170 - Penetration Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Windows Firewall Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft + Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Windows Firewall Properties'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8bbd627e-4d25-4906-9a6e-3789780af3ec\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + category: ''Windows Firewall Properties''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"Equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c122334-9d20-4eb8-89ea-ac9a705b74ae\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1458 - Physical Access Control | Information System Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1683 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c79fee4-88dd-44ce-bbd4-4de88948c4f8\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1316 - Identifier Management | Identify User Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce14753-66e5-465d-9841-26ef55c09c0d\"},{\"properties\":{\"displayName\":\"Require - tag and its value on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces - a required tag and its value on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce3da23-7156-49e4-b145-24f95f9dcb46\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1324 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cfea2b3-7f77-497e-ac20-0752f2ff6eee\"},{\"properties\":{\"displayName\":\"Microsoft + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft + Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft + Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest + TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft + Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require + tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft + Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated - Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d096fe0-f510-4486-8b4d-d17dc230980b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1288 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8dc459b3-0e77-45af-8d71-cfd8c9654fe2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1250 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8de614d8-a8b7-4f70-a62a-6d37089a002c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft + Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft + Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft + Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Object Access'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditDetailedFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Detailed File Share\",\"description\":\"If this policy setting is enabled, + with non-compliant settings in Group Policy category: ''System Audit Policies + - Object Access''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing - for Success can lead to very high volumes of events.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"},\"AuditFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit File Share\",\"description\":\"Specifies whether to audit events related + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File - Servers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"},\"AuditFileSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit File System\",\"description\":\"Specifies whether audit events are generated + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated - only for objects that have configured system access control lists (SACLs).\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Detailed File Share;ExpectedValue', '=', parameters('AuditDetailedFileShare'), - ',', 'Audit File Share;ExpectedValue', '=', parameters('AuditFileShare'), - ',', 'Audit File System;ExpectedValue', '=', parameters('AuditFileSystem')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\"},\"AuditDetailedFileShare\":{\"value\":\"[parameters('AuditDetailedFileShare')]\"},\"AuditFileShare\":{\"value\":\"[parameters('AuditFileShare')]\"},\"AuditFileSystem\":{\"value\":\"[parameters('AuditFileSystem')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditDetailedFileShare\":{\"type\":\"string\"},\"AuditFileShare\":{\"type\":\"string\"},\"AuditFileSystem\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit - File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit - File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit - File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit - File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e170edb-e0f5-497a-bb36-48b3280cec6a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1278 - Alternate Processing Site | Preparation For Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e5ef485-9e16-4c53-a475-fbb8107eac59\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1517 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8f5ad423-50d6-4617-b058-69908f5586c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1668 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fb0966e-be1d-42c3-baca-60df5c0bcc61\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1013 - Account Management | Automated System Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fd7b917-d83b-4379-af60-51e14e316c61\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1147 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fef824a-29a8-4a4c-88fc-420a39c0d541\"},{\"properties\":{\"displayName\":\"[Preview]: + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), + '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft + Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft + Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft + Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft + Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft + Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using - reversible encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"StorePasswordsUsingReversibleEncryption\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ff0b18b-262e-4512-857a-48ad0aeb9a78\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1550 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"902908fb-25a8-4225-a3a5-5603c80066c9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall - Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft + Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall + Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. + with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Use profile settings\",\"description\":\"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Apply local firewall rules\",\"description\":\"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Domain): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Use profile settings\",\"description\":\"Specifies + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Apply local firewall rules\",\"description\":\"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Private): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Use profile settings\",\"description\":\"Specifies + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection - security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Behavior for outbound connections\",\"description\":\"Specifies + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Apply local connection security rules\",\"description\":\"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Apply local firewall rules\",\"description\":\"Specifies + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public - profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall (Public): Display notifications\",\"description\":\"Specifies + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for - the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Domain: Allow unicast response\",\"description\":\"Specifies + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Domain profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Private: Allow unicast response\",\"description\":\"Specifies + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Private profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Windows Firewall: Public: Allow unicast response\",\"description\":\"Specifies + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; - for the Public profile.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Windows - Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), - ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), - ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), - ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows - Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), - ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), - ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', - parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', - '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), - ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', - '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows - Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), - ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', - parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: - Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), - ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', - parameters('WindowsFirewallPublicAllowUnicastResponse')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsFirewallProperties\"},\"WindowsFirewallDomainUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},\"WindowsFirewallDomainDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},\"WindowsFirewallPublicUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},\"WindowsFirewallPublicDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows - Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows - Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows - Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows - Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows - Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows - Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"909c958d-1b99-4c74-b88f-46a5c5bc34f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90b60a09-133d-45bc-86ef-b206a6134bbe\"},{\"properties\":{\"displayName\":\"Deploy + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), + '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', + parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', + ''Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainApplyLocalFirewallRules''), '','', + ''Windows Firewall: Domain: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallDomainDisplayNotifications''), '','', ''Windows + Firewall: Private: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateUseProfileSettings''), + '','', ''Windows Firewall: Private: Outbound connections;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections''), + '','', ''Windows Firewall: Private: Settings: Apply local connection security + rules;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateApplyLocalFirewallRules''), '','', + ''Windows Firewall: Private: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateDisplayNotifications''), '','', + ''Windows Firewall: Public: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallPublicUseProfileSettings''), + '','', ''Windows Firewall: Public: Outbound connections;ExpectedValue'', ''='', + parameters(''WindowsFirewallPublicBehaviorForOutboundConnections''), '','', + ''Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules''), + '','', ''Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicApplyLocalFirewallRules''), '','', + ''Windows Firewall: Public: Settings: Display a notification;ExpectedValue'', + ''='', parameters(''WindowsFirewallPublicDisplayNotifications''), '','', ''Windows + Firewall: Domain: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainAllowUnicastResponse''), + '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', + ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', + ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft + Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows - PowerShell modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Modules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell - Modules\",\"description\":\"A semicolon-separated list of the names of the - PowerShell modules that should be installed. You may also specify a specific - version of a module that should be installed by including a comma after the - module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellModules]PowerShellModules1;Modules', - '=', parameters('Modules')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellModules\"},\"Modules\":{\"value\":\"[parameters('Modules')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Modules\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90ba2ee7-4ca8-4673-84d1-c851c50d3baf\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell + Modules","description":"A semicolon-separated list of the names of the PowerShell + modules that should be installed. You may also specify a specific version + of a module that should be installed by including a comma after the module + name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit - Trail\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90d8b8ad-8ee3-4db7-913f-2a53fcff5316\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1355 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90e01f69-3074-4de8-ade7-0fef3e7d83e0\"},{\"properties\":{\"displayName\":\"Microsoft + Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft + Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative - Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90f01329-a100-43c2-af31-098996135d2b\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Windows Components'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9178b430-2295-406e-bb28-f6a7a2a2f897\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1069 - Wireless Access | Authentication And Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"91c97b44-791e-46e9-bad7-ab7c4949edbb\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Windows Components''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection - / Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"924e1b2d-c502-478f-bfdb-a7e09a0d5c01\"},{\"properties\":{\"displayName\":\"MFA - should be enabled accounts with write permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9297c21d-2ed6-4474-b48f-163f75654ce3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1290 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"92f85ce9-17b7-49ea-85ee-ea7271ea6b82\"},{\"properties\":{\"displayName\":\"[Preview]: + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft + Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within - the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9328f27e-611e-44a7-a244-39109d7d35ab\"},{\"properties\":{\"displayName\":\"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does - not contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members - to include\",\"description\":\"A semicolon-separated list of members that - should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToInclude', - '=', parameters('MembersToInclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToInclude\"},\"MembersToInclude\":{\"value\":\"[parameters('MembersToInclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToInclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93507a81-10a4-4af0-9ee2-34cf25a96e98\"},{\"properties\":{\"displayName\":\"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members + to include","description":"A semicolon-separated list of members that should + be included in the Administrators local group. Ex: Administrator; myUser1; + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security - Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\"},{\"properties\":{\"displayName\":\"Microsoft + Controls","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks - For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e9e233-dd0a-4bde-aea5-1371bce0e002\"},{\"properties\":{\"displayName\":\"Microsoft + For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore - Within Time Period\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93fd8af1-c161-4bae-9ba9-f62731f76439\"},{\"properties\":{\"displayName\":\"Microsoft + Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"942b3e97-6ae3-410e-a794-c9c999b97c0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1379 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9442dd2c-a07f-46cd-b55a-553b66ba47ca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1371 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9447f354-2c85-4700-93b3-ecdc6cb6a417\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in European data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: North Europe, West Europe\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"94c19f19-8192-48cd-a11b-e37099d3e36b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1526 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"953e6261-a05a-44fd-8246-000e1a3edbb9\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft + Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they - reach the web app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95bccee9-a7f8-4bec-9ee9-62c3473701fc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1163 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"961663a1-8a91-4e59-b6f5-1eee57c0f49c\"},{\"properties\":{\"displayName\":\"Require - specified tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces - existence of a tag on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"96670d01-0a4d-4649-9c89-2d3abc0a5025\"},{\"properties\":{\"displayName\":\"Microsoft + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft + Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require + specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary - Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\"},{\"properties\":{\"displayName\":\"Advanced + Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive - security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure - that an email address is provided for the 'Send alerts to' field in the Advanced - Data Security server settings. This email address receives alert notifications - when anomalous activities are detected on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9677b740-f641-4f3c-b9c5-466005c85278\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1453 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9693b564-3008-42bc-9d5d-9c7fe198c011\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Adminstrative Templates - - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure + that an email address is provided for the ''Send alerts to'' field in the + Advanced Data Security server settings. This email address receives alert + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft + Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Adminstrative Templates - MSS (Legacy)'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97646672-5efa-4622-9b54-740270ad60bf\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Administrative Templates - MSS (Legacy)''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic - Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"976a74cf-b192-4d35-8cab-2068f272addb\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Policy Change'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditAuthenticationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Authentication Policy Change\",\"description\":\"Specifies whether audit + with non-compliant settings in Group Policy category: ''System Audit Policies + - Policy Change''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust - and privileges that are granted to user accounts or groups.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Authorization Policy Change\",\"description\":\"Specifies whether audit + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes - changes and Central Access Policy changes for file system objects.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No - Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Authentication Policy Change;ExpectedValue', '=', parameters('AuditAuthenticationPolicyChange'), - ',', 'Audit Authorization Policy Change;ExpectedValue', '=', parameters('AuditAuthorizationPolicyChange')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\"},\"AuditAuthenticationPolicyChange\":{\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},\"AuditAuthorizationPolicyChange\":{\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditAuthenticationPolicyChange\":{\"type\":\"string\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit - Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit - Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97b595c8-fd10-400e-8543-28e2b9138b13\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1136 - Audit Record Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97ed5bac-a92f-4f6d-a8ed-dc094723597c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1378 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97fceb70-6983-42d0-9331-18ad8253184d\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in United States data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft + Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft + Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"centralus\",\"eastus\",\"eastus2\",\"northcentralus\",\"southcentralus\",\"westus\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"983211ba-f348-4758-983b-21fa29294869\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - Network'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnableInsecureGuestLogons\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enable insecure guest logons\",\"description\":\"Specifies whether the SMB - client will allow insecure guest logons to an SMB server.\"},\"defaultValue\":\"0\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Allow simultaneous connections to the Internet or a Windows Domain\",\"description\":\"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them.\"},\"defaultValue\":\"1\"},\"TurnOffMulticastNameResolution\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Turn off multicast name resolution\",\"description\":\"Specifies whether LLMNR, + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a - local subnet link on a single subnet, is enabled.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enable - insecure guest logons;ExpectedValue', '=', parameters('EnableInsecureGuestLogons'), - ',', 'Minimize the number of simultaneous connections to the Internet or a - Windows Domain;ExpectedValue', '=', parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'), - ',', 'Turn off multicast name resolution;ExpectedValue', '=', parameters('TurnOffMulticastNameResolution')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesNetwork\"},\"EnableInsecureGuestLogons\":{\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},\"TurnOffMulticastNameResolution\":{\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnableInsecureGuestLogons\":{\"type\":\"string\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"string\"},\"TurnOffMulticastNameResolution\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable - insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize - the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn - off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable - insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize - the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn - off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"985285b7-b97a-419c-8d48-c88cc934c8d8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1076 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"98a4bd5f-6436-46d4-ad00-930b5b1dfed4\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), + '','', ''Minimize the number of simultaneous connections to the Internet or + a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft + Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"991310cd-e9f3-47bc-b7b6-f57b557d07db\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1102 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9943c16a-c54c-4b4a-ad28-bfd938cdbf57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1300 - Identification And Authentication (Organizational Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"99deec7d-5526-472e-b07c-3645a792026a\"},{\"properties\":{\"displayName\":\"Microsoft + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft + Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft + Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\"},{\"properties\":{\"displayName\":\"FTPS - only should be required in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable - FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a1b8c48-453a-4044-86c3-d8bfd823e4f5\"},{\"properties\":{\"displayName\":\"Microsoft + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS + only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared - / Group Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a3eb0a3-428d-4669-baff-20a14eb4b551\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Azure SQL Database to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.Sql/servers/databases/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('fullName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Errors\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DatabaseWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Blocks\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLInsights\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Timeouts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutomaticTuning\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Deadlocks\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - diagnostic settings for ', parameters('fullName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"fullName\":{\"value\":\"[field('fullName')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a7c7a7d-49e5-4213-bea8-6a502b6272e0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1049 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9adf7ba7-900a-4f35-8d57-9f34aafc405c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1563 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9afe2edf-232c-4fdf-8e6a-e867a5c525fd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1462 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\"},{\"properties\":{\"displayName\":\"Microsoft - IaaSAntimalware extension should be deployed on Windows servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft + Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft + Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft + Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft + IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b597639-28e4-48eb-b506-56b05d366257\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1236 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ba3ed84-c768-4e18-b87c-34ef1aff1b57\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1525 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9be2f688-7a61-45e3-8230-e1ec93893f66\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft + Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft + Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9bfe3727-0a17-471f-a2fe-eddd6b668745\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1138 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c284fc0-268a-4f29-af44-3c126674edb4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1135 - Non-Repudiation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c308b6b-2429-4b97-86cf-081b8e737b04\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1489 - Location Of Information System Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0a794f-1444-4c96-9534-e35fc8c39c91\"},{\"properties\":{\"displayName\":\"Ensure - that 'Java version' is the latest, if used as a part of the Funtion app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft + Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft + Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure + that ''Java version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', - parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), - '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1322 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d1d971e-467e-4278-9633-c74c3d4fecc4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1233 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d79001f-95fe-45d0-8736-f217e78c1f57\"},{\"properties\":{\"displayName\":\"Microsoft + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft + Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft + Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group - Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9166a8-1722-4b8f-847c-2cf3f2618b3d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1259 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9e18f7-bad9-4d30-8806-a0c9d5e26208\"},{\"properties\":{\"displayName\":\"Access - through Internet facing endpoint should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure - Security center has identified some of your Network Security Groups' inbound - rules to be too permissive. Inbound rules should not allow access from 'Any' - or 'Internet' ranges. This can potentially enable attackers to easily target - your resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedNetworkEndpoint\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9daedab3-fb2d-461e-b861-71790eead4f6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1500 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\"},{\"properties\":{\"displayName\":\"Microsoft + Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft + Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access + through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure + Security center has identified some of your Network Security Groups'' inbound + rules to be too permissive. Inbound rules should not allow access from ''Any'' + or ''Internet'' ranges. This can potentially enable attackers to easily target + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft + Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With - Alarms / Notifications\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9df4277e-8c88-4d5c-9b1a-541d53d15d7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1490 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e61da80-0957-4892-b70c-609d5eaafb6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1504 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e7c35d0-12d4-4e0c-80a2-8a352537aefd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1609 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e93fa71-42ac-41a7-b177-efbfdc53c69f\"},{\"properties\":{\"displayName\":\"Append - tag and its value from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft + Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft + Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append + tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources - are changed. New 'modify' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1494 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed09d84-3311-4853-8b67-2b55dfa33d09\"},{\"properties\":{\"displayName\":\"Microsoft + are changed. New ''modify'' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft + Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection - Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed5ca00-0e43-434e-a018-7aab91461ba7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1187 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f2b2f9e-4ba6-46c3-907f-66db138b6f85\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that are not set to the specified time zone\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Measures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft + Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show + audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f658460-46b7-43af-8565-94fc0662be38\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1354 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9fd92c17-163a-4511-bb96-bbb476449796\"},{\"properties\":{\"displayName\":\"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not - connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + connected as expected","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a030a57e-4639-4e8f-ade9-a92f33afe7ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1145 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0724970-9c75-4a64-a225-a28002953f28\"},{\"properties\":{\"displayName\":\"Allowed - resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed + resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can - deploy. Only resource types that support 'tags' and 'location' will be affected - by this policy. To restrict all resources please duplicate this policy and - change the 'mode' to 'All'.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of resource types that can be deployed.\",\"displayName\":\"Allowed resource - types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesAllowed')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a08ec900-254a-4555-9bf5-e42af04b5c5c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1245 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0e45314-57b8-4623-80cd-bbb561f59516\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1406 - Maintenance Tools | Inspect Media\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\"},{\"properties\":{\"displayName\":\"Security - Center standard pricing tier should be selected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + deploy. Only resource types that support ''tags'' and ''location'' will be + affected by this policy. To restrict all resources please duplicate this policy + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + list of resource types that can be deployed.","displayName":"Allowed resource + types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft + Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft + Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Security/pricings\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"exists\":\"true\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"notEquals\":\"Standard\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1181c5f-672a-477a-979a-7d58aa086233\"},{\"properties\":{\"displayName\":\"All + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from - Service Bus namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Service + Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Service - Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1817ec0-a368-432a-8057-8371e17ac6ee\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a18adb5b-1db6-4a5b-901a-7d3797d12972\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Logic Apps to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft + Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1dae6c7-13f3-48ea-a149-ff8442661f60\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Administrative Templates - - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Administrative Templates - System'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1e8dda3-9fd2-4835-aec3-0e55531fde33\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1612 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2037b3d-8b04-4171-8610-e6d4f1d08db5\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60","type":"Microsoft.Authorization/policyDefinitions","name":"a1dae6c7-13f3-48ea-a149-ff8442661f60"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Administrative Templates + - System''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Administrative + Templates - System''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document - Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a20d2eaa-88e2-4907-96a2-8f3a05797e5c\"},{\"properties\":{\"displayName\":\"Microsoft + Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary - Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a23d9d53-ad2e-45ef-afd5-e6d10900a737\"},{\"properties\":{\"displayName\":\"Microsoft + Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion - Detection System\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2567a23-d1c3-4783-99f3-d471302a4d6b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2596a9f-e59f-420d-9625-6e0b536348be\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1059 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29b5d9f-4953-4afe-b560-203a6410b6b4\"},{\"properties\":{\"displayName\":\"Show - audit results from Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft + Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show + audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29ee95c-0395-4515-9851-cc04ffe82a91\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1532 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2c66299-9017-4d95-8040-8bdbf7901d52\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2cdf6b8-9505-4619-b579-309ba72037ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1252 - Contingency Plan | Capacity Planning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1238 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1693 - Information System Monitoring | System-Generated Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a450eba6-2efc-4a00-846a-5804a93c6b77\"},{\"properties\":{\"displayName\":\"Audit - usage of custom RBAC rules\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit - built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft + Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft + Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft + Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft + Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit + usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit + built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a451c1ef-c6ca-483d-87ed-f49761e3ffb5\"},{\"properties\":{\"displayName\":\"Web - Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web + Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a4af4a39-4135-47fb-b175-47fbdf85311d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1617 - Application Partitioning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a631d8f5-eb81-4f9d-9ee1-74431371e4a3\"},{\"properties\":{\"displayName\":\"Auditing - on SQL server should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Auditing + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft + Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing on your SQL Server should be enabled to track database activities across all - databases on the server and save them in an audit log.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Desired - Auditing setting\"},\"allowedValues\":[\"enabled\",\"disabled\"],\"defaultValue\":\"enabled\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\"},{\"properties\":{\"displayName\":\"The - Log Analytics agent should be installed on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired + Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The + Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a70ca396-0a34-413a-88e1-b956c1e683be\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1431 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7173c52-2b99-4696-a576-63dd5f970ef4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1644 - Cryptographic Key Establishment And Management | Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7211477-c970-446b-b4af-062f37461147\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1027 - Access Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\"},{\"properties\":{\"displayName\":\"DDoS - Protection Standard should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"DDoS + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft + Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft + Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft + Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS + Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"microsoft.network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableDDoSProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7aca53f-2ed4-4466-a25e-0b45ade68efd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1570 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7fcf38d-bb09-4600-be7d-825046eb162a\"},{\"properties\":{\"displayName\":\"Require - encryption on Data Lake Store accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy ensures encryption is enabled on all Data Lake Store accounts\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},{\"field\":\"Microsoft.DataLakeStore/accounts/encryptionState\",\"equals\":\"Disabled\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7ff3161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1295 - Information System Recovery And Reconstitution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a895fbdb-204d-4302-9689-0a59dc42b3d9\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor unencrypted SQL databases in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Unencrypted + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft + Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require + encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data + Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: + Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a8bef009-a5c9-4d0f-90d7-6018734e8a16\"},{\"properties\":{\"displayName\":\"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary - / Alternate Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9172e76-7f56-46e9-93bf-75d69bdb5491\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1400 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96d5098-a604-4cdf-90b1-ef6449a27424\"},{\"properties\":{\"displayName\":\"Microsoft + / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft + Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit - Repositories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96f743d-a195-420d-983a-08aa06bc441e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1199 - Configuration Change Control | Cryptography Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a08d1c-09b1-48f1-90ea-029bbdf7111e\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft + Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Detailed Tracking'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a33475-481d-4b81-9116-0bf02ffe67e8\"},{\"properties\":{\"displayName\":\"Deploy - network watcher when virtual networks are created\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''System Audit Policies - Detailed Tracking''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"networkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"equals\":\"[field('location')]\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2016-09-01\",\"type\":\"Microsoft.Network/networkWatchers\",\"name\":\"[concat('networkWatcher_', - parameters('location'))]\",\"location\":\"[parameters('location')]\"}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1511 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9eae324-d327-4539-9293-b48e122465f8\"},{\"properties\":{\"displayName\":\"MFA - should be enabled on accounts with owner permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft + Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa633080-8b72-40c4-a2d7-d00c03e80bed\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on WEB App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa81768c-cb87-4ce2-bfaa-00baa10d760c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1539 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aabb155f-e7a5-4896-a767-e918bfae2ee0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1006 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aae8d54c-4bce-4c04-b3aa-5b65b67caac8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1461 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aafef03e-fea8-470b-88fa-54bd1fcd7064\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1073 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\"},{\"properties\":{\"displayName\":\"Ensure - that 'PHP version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft + Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft + Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft + Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft + Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure + that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest - PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', - parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab965db2-d2bf-4b64-8b39-c38ec8179461\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Automatic provisioning of security monitoring agent\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Installs + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: + Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"securityAgent\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abcc6037-1fc4-47f6-aac5-89706589be24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1323 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abe8f70b-680f-470c-9b86-a7edfb664ecc\"},{\"properties\":{\"displayName\":\"Advanced - data security should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL servers without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\"},{\"properties\":{\"displayName\":\"Advanced - data security should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - SQL managed instances without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\"},{\"properties\":{\"displayName\":\"Enable - Azure Security Center on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Identifies - existing subscriptions that are not monitored by Azure Security Center (ASC).\\nSubscriptions - not monitored by ASC will be registered to the free pricing tier.\\nSubscriptions - already monitored by ASC (free or standard), will be considered compliant.\\nTo + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft + Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced + data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced + data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo register newly created subscriptions, open the compliance tab, select the - relevant non-compliant assignment and create a remediation task.\\nRepeat - this step when you have one or more new subscriptions you want to monitor - with Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/pricings\",\"name\":\"VirtualMachines\",\"deploymentScope\":\"subscription\",\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"existenceCondition\":{\"anyof\":[{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"standard\"},{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"free\"}]},\"deployment\":{\"location\":\"westeurope\",\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Security/pricings\",\"apiVersion\":\"2018-06-01\",\"name\":\"VirtualMachines\",\"properties\":{\"pricingTier\":\"free\"}}],\"outputs\":{}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac076320-ddcf-4066-b451-6154267e8ad2\"},{\"properties\":{\"displayName\":\"Microsoft + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message - Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac43352f-df83-4694-8738-cfce549fd08d\"},{\"properties\":{\"displayName\":\"[Preview]: - Role-Based Access Control (RBAC) should be used on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"To + Displays","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation if 'environment' tag value in allowed values\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation if the 'environment' tag is set to one of the following - values: production, dev, test, staging\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags['environment']\",\"in\":[\"production\",\"dev\",\"test\",\"staging\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac7e5fc0-c029-4b12-91d4-a8500ce697f9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1569 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1454 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad58985d-ab32-4f99-8bd3-b7e134c90229\"},{\"properties\":{\"displayName\":\"Microsoft + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation if the ''environment'' tag is set to one of the following + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft + Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical - Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"adfe020d-0a97-45f4-a39c-696ef99f3a95\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1272 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\"},{\"properties\":{\"displayName\":\"SQL - Server should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL + Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae5d2f14-d830-42b6-9899-df6cfe9c71a3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1598 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae7e1f5e-2d63-4b38-91ef-bce14151cce3\"},{\"properties\":{\"displayName\":\"Email + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft + Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed - instance advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that 'email notification to admins and subscription owners' is enabled in + instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeb23562-188d-47cb-80b8-551f16ef9fff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1413 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeedddb6-6bc0-42d5-809b-80048033419d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1710 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\"},{\"properties\":{\"displayName\":\"Monitor - missing Endpoint Protection in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft + Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor + missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"endpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af6cd1bd-1635-48cb-bde7-5b15693900b9\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Monitor unaudited SQL servers in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"SQL - servers which don't have SQL auditing turned on will be monitored by Azure + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: + Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL + servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced - by the following policy: 'Auditing should be enabled on advanced data security - settings on SQL Server'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"auditing\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af8051bf-258b-44e2-a2bf-165330459f9d\"},{\"properties\":{\"displayName\":\"Microsoft + by the following policy: ''Auditing should be enabled on advanced data security + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric - Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afbd0baf-ff1a-4447-a86f-088a97347c0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1725 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afc234b5-456b-4aa5-b3e2-ce89108124cc\"},{\"properties\":{\"displayName\":\"Activity - log should be retained for at least one year\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft + Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity + log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"365\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"false\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"0\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b02aacc0-b073-424e-8298-42b22829ee0a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1429 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b07c9b24-729e-4e85-95fc-f224d2d08a80\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1711 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b083a535-a66a-41ec-ba7f-f9498bf67cde\"},{\"properties\":{\"displayName\":\"Just-In-Time - network access control should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft + Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft + Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time + network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"jitNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b0f33259-77d7-4c9e-aac6-3aabcfae693c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1571 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b11c985b-f2cd-4bd7-85f4-b52426edf905\"},{\"properties\":{\"displayName\":\"[Preview]: + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft + Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions - set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Linux virtual machines that do not have the passwd file permissions - set to 0644. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b18175dd-c599-4c64-83ba-bb018a06d35b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1537 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b19454ca-0d70-42c0-acf5-ea1c1e5726d1\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1091 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\"},{\"properties\":{\"displayName\":\"Microsoft + set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Linux + virtual machines that do not have the passwd file permissions set to 0644. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft + Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized - Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b25faf85-8a16-4f28-8e15-d05c0072d64d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1009 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b26f8610-e615-47c2-abd6-c00b2b0b503a\"},{\"properties\":{\"displayName\":\"All + Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from - Event Hub namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Event + Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Event - Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b278e460-7cfc-4451-8294-cccc40a940d7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1234 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b293f881-361c-47ed-b997-bc4e2296bc0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1107 - Content Of Audit Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b29ed931-8e21-4779-8458-27916122a904\"},{\"properties\":{\"displayName\":\"Deploy + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft + Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft + Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication - protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows web servers - that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding + protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows web servers that + are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MinimumTLSVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Minimum - TLS version\",\"description\":\"The minimum TLS protocol version that should - be enabled. Windows web servers with lower TLS versions will be marked as - non-compliant.\"},\"allowedValues\":[\"1.1\",\"1.2\"],\"defaultValue\":\"1.1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[SecureWebServer]s1;MinimumTLSVersion', - '=', parameters('MinimumTLSVersion')))]\"},{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"\"},{\"value\":\"[parameters('MinimumTLSVersion')]\",\"equals\":\"1.1\"}]}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AuditSecureProtocol\"},\"MinimumTLSVersion\":{\"value\":\"[parameters('MinimumTLSVersion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MinimumTLSVersion\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fc8f91-866d-4434-9089-5ebfe38d6fd8\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum + TLS version","description":"The minimum TLS protocol version that should be + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Logon-Logoff''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Logon-Logoff'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3802d79-dd88-4bce-b81d-780218e48280\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3d8d15b-627a-4219-8c96-4d16f788888b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1380 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4319b7e-ea8d-42ff-8a67-ccd462972827\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Search services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + category: ''System Audit Policies - Logon-Logoff''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft + Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic + logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Search\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4330a05-a843-4bc8-bf9a-cacce50c67f4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1172 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b43e946e-a4c8-4b92-8201-4a39331db43c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1672 - Flaw Remediation | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b45fe972-904e-45a4-ac20-673ba027a301\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1131 - Protection Of Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b472a17e-c2bc-493f-b50b-42d55a346962\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft + Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft + Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b48334a4-911b-4084-b1ab-3e6a4e50b951\"},{\"properties\":{\"displayName\":\"A - security contact phone number should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/phone\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4d66858-c922-44e3-9566-5cdb7a7be744\"},{\"properties\":{\"displayName\":\"Microsoft + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency - Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4f9b47a-2116-4e6f-88db-4edbf22753f1\"},{\"properties\":{\"displayName\":\"Service - Fabric clusters should only use Azure Active Directory for client authentication\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"exists\":\"false\"},{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"equals\":\"\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b54ed75b-3e1a-44ac-a333-05ba39b99ff0\"},{\"properties\":{\"displayName\":\"Deploy - Advanced Threat Protection for Cosmos DB Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables Advanced Threat Protection across Cosmos DB accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cosmos - DB\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"cosmosDbAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('cosmosDbAccountName'), - '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"cosmosDbAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b5f04e03-92a3-4b09-9410-2cc5e5047656\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in App Services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy + Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos + DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), + ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic + logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"notContains\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6747bf9-2b97-45b8-b162-3c8becb9937d\"},{\"properties\":{\"displayName\":\"Microsoft + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft + Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network - Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1568 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8eae8-9854-495a-ac82-d2cd3eac02a6\"},{\"properties\":{\"displayName\":\"Network - Watcher should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft + Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network + Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"listOfLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Locations\",\"description\":\"Audit - if Network Watcher is not enabled for region(s).\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"NetworkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"in\":\"[parameters('listOfLocations')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1608 - Supply Chain Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1401 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b78ee928-e3c1-4569-ad97-9f8c4b629847\"},{\"properties\":{\"displayName\":\"API - App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft + Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft + Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b7ddfbdc-1260-477d-91fd-98bd9be789a6\"},{\"properties\":{\"displayName\":\"Deploy + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does - not contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Members\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members\",\"description\":\"A + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;Members', - '=', parameters('Members')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembers\"},\"Members\":{\"value\":\"[parameters('Members')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Members\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b821191b-3a12-44bc-9c38-212138a29ff3\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Accounts'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b872a447-cc6f-43b9-bccf-45703cd81607\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Logic Apps to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Accounts''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Accounts''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b889a06c-ec72-4b03-910a-cb169ee18721\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Administrative operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This policy audits specific Administrative operations with no activity log alerts - configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Administrative Operation name for which activity - log alert should be configured\"},\"allowedValues\":[\"Microsoft.Sql/servers/firewallRules/write\",\"Microsoft.Sql/servers/firewallRules/delete\",\"Microsoft.Network/networkSecurityGroups/write\",\"Microsoft.Network/networkSecurityGroups/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/delete\",\"Microsoft.Network/networkSecurityGroups/securityRules/write\",\"Microsoft.Network/networkSecurityGroups/securityRules/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Administrative\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b954148f-4c11-4c38-8221-be76711e194a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1257 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b958b241-4245-4bd6-bd2d-b8f0779fb543\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1186 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b95ba3bd-4ded-49ea-9d10-c6f4b680813d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1447 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9783a99-98fe-4a95-873f-29613309fe9a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1625 - Boundary Protection | Access Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9b66a4d-70a1-4b47-8fa1-289cec68c605\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1610 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9f3fb54-4222-46a1-a308-4874061f8491\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft + Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft + Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft + Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft + Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft + Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Recovery console''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Recovery console'. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ba12366f-f9a6-42b8-9d98-157d0b1a837b\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Security Options - Recovery console''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat - And Vulnerability Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1726 - Information Handling And Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baff1279-05e0-4463-9a70-8ba5de4c7aa4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1166 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1188 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb20548a-c926-4e4d-855c-bcddc6faf95e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1533 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft + Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft + Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft + Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft + Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Microsoft Network Client'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network client: Digitally sign communications (always)\",\"description\":\"Specifies - whether packet signing is required by the SMB client component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network client: Send unencrypted password to third-party SMB servers\",\"description\":\"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it.\"},\"defaultValue\":\"0\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Amount of idle time required before suspending session\",\"description\":\"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,15\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Digitally sign communications (always)\",\"description\":\"Specifies - whether packet signing is required by the SMB server component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Microsoft network server: Disconnect clients when logon hours expire\",\"description\":\"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside - their user account's valid logon hours. This setting affects the Server Message + their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - 'Network security: Force logoff when logon hours expire'\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Microsoft - network client: Digitally sign communications (always);ExpectedValue', '=', - parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', - 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', - '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), - ',', 'Microsoft network server: Amount of idle time required before suspending - session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), - ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', - '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), - ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', - '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"string\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"string\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft - network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft - network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft - network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft - network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft - network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft - network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bbcdd8fa-b600-4ee3-85b8-d184e3339652\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit API Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + network client: Digitally sign communications (always);ExpectedValue'', ''='', + parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', + ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers''), + '','', ''Microsoft network server: Amount of idle time required before suspending + session;ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession''), + '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), + '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: + Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\"},{\"properties\":{\"displayName\":\"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc34667f-397e-4a65-9b72-d0358f0b6b09\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1095 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc3f6f7a-057b-433e-9834-e8c97b0194f6\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft + Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Account Logon'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc87d811-4a9b-47cc-ae54-0a41abda7768\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1427 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc90e44f-d83f-4bdf-900f-3d5eb4111b31\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1351 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1050 - Concurrent Session Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd20184c-b4ec-4ce5-8db6-6e86352d183f\"},{\"properties\":{\"displayName\":\"[Preview]: - IP Forwarding on your virtual machine should be disabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enabling - IP forwarding on a virtual machine's NIC allows the machine to receive traffic + category: ''System Audit Policies - Account Logon''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft + Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft + Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling + IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"disableIPForwarding\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"Monitored\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd352bd5-2853-4985-bf0d-73806b4a5744\"},{\"properties\":{\"displayName\":\"Advanced - Threat Protection types should be set to 'All' in SQL managed instance Advanced - Data Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + Threat Protection types should be set to ''All'' in SQL managed instance Advanced + Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bda18df3-5e41-4709-add9-2554ce68c966\"},{\"properties\":{\"displayName\":\"Show + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains - any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + any of the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bde62c94-ccca-4821-a815-92c1d31a76de\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be0a7681-bed4-48dc-9ff3-f0171ee170b6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1360 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be5b05e7-0b82-4ebc-9eda-25e447b1a41e\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Key Vault to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bef3f64c-5290-43b7-85b0-9b254eef4c47\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1152 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\"},{\"properties\":{\"displayName\":\"Geo-redundant - storage should be enabled for Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Storage Account with geo-redundant storage not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":[\"Standard_GRS\",\"Standard_RAGRS\",\"Standard_GZRS\",\"Standard_RAGZRS\"]}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf045164-79ba-4215-8f95-f8048dc1780b\"},{\"properties\":{\"displayName\":\"Microsoft + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft + Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments - / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf296b8c-f391-4ea4-9198-be3c9d39dd1f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1446 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf6850fe-abba-468e-9ef4-d09ec7d983cd\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft + Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Logon-Logoff'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''System Audit Policies + - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditGroupMembership\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Group Membership\",\"description\":\"Specifies whether audit events - are generated when group memberships are enumerated on the client computer.\"},\"allowedValues\":[\"No - Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Group Membership;ExpectedValue', '=', parameters('AuditGroupMembership')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\"},\"AuditGroupMembership\":{\"value\":\"[parameters('AuditGroupMembership')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditGroupMembership\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c04255ee-1b9f-42c1-abaa-bf1553f79930\"},{\"properties\":{\"displayName\":\"Only - approved VM extensions should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy governs the virtual machine extensions that are not approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"approvedExtensions\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of approved extension types that can be installed. Example: AzureDiskEncryption\",\"displayName\":\"Approved - extensions\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"notIn\":\"[parameters('approvedExtensions')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c0e996f8-39cf-4af9-9f45-83fbde810432\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1124 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10152dd-78f8-4335-ae2d-ad92cc028da4\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1676 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1719 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c13da9b4-fe14-4fe2-853a-5997c9d4215a\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only + approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The + list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved + extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft + Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft + Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft + Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated - Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c158eb1c-ae7e-4081-8057-d527140c4e0c\"},{\"properties\":{\"displayName\":\"Deploy - associations for a custom provider\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy + associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Custom - Provider\"},\"parameters\":{\"targetCustomProviderId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Custom - provider ID\",\"description\":\"Resource ID of the Custom provider to which - resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource - types to associate\",\"description\":\"The list of resource types to be associated - to the custom provider.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association - name prefix\",\"description\":\"Prefix to be added to the name of the association - resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), - '-', uniqueString(parameters('targetCustomProviderId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetCustomProviderId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), - '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), - '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetCustomProviderId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, - '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetCustomProviderId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetCustomProviderId\":{\"value\":\"[parameters('targetCustomProviderId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1629 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c171b095-7756-41de-8644-a062a96043f2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1004 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c17822dc-736f-4eb4-a97d-e6be662ff835\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Asia data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom + Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom + provider ID","description":"Resource ID of the Custom provider to which resources + need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource + types to associate","description":"The list of resource types to be associated + to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association + name prefix","description":"Prefix to be added to the name of the association + resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), + ''-'', uniqueString(parameters(''targetCustomProviderId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetCustomProviderId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), + ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), + ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', + uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, + ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft + Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft + Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"eastasia\",\"southeastasia\",\"westindia\",\"southindia\",\"centralindia\",\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Account Logon'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditCredentialValidation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Credential Validation\",\"description\":\"Specifies whether audit events - are generated when credentials are submitted for a user account logon request. - \ This setting is especially useful for monitoring unsuccessful attempts, - to find brute-force attacks, account enumeration, and potential account compromise - events on domain controllers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"Success and Failure\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Credential Validation;ExpectedValue', '=', parameters('AuditCredentialValidation')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\"},\"AuditCredentialValidation\":{\"value\":\"[parameters('AuditCredentialValidation')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditCredentialValidation\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1e289c0-ffad-475d-a924-adc058765d65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1503 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\"},{\"properties\":{\"displayName\":\"Deploy + with non-compliant settings in Group Policy category: ''System Audit Policies + - Account Logon''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft + Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time - zone\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not set to the specified time zone. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Time - zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) - International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) - Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) - Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja - California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific - Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, - Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central - America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter - Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) - Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) - Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) - Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) - Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) - Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) - Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) - Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos - Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) - Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) - Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) - Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) - Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) - Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, - Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, - Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) - Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) - Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) - Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, - Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, - Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) - Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) - Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) - Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) - Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) - Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) - Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) - Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) - Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) - Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) - Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) - Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, - Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) - Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong - Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) - Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) - Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) - Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) - Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, - Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) - Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) - Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) - Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) - Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) - Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham - Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) - Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', - '=', parameters('TimeZone')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c21f7060-c148-41cf-a68b-0ab3e14c764c\"},{\"properties\":{\"displayName\":\"Show + zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates + a Guest Configuration assignment to audit Windows virtual machines that are + not set to the specified time zone. It also creates a system-assigned managed + identity and deploys the VM extension for Guest Configuration. This policy + should only be used along with its corresponding audit policy in an initiative. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time + zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) + Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) + Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) + Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) + Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time + (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US + & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, + Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio + Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) + Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks + and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) + Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San + Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) + Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) + Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) + Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated + Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) + Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, + Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) + Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) + Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, + Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) + West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) + Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) + Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, + Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) + Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) + Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, + St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu + Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) + Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) + Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) + Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) + Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) + Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) + Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, + Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) + Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, + Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, + Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) + Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) + Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) + Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) + Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) + Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) + Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) + Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) + Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) + Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) + Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"},{"properties":{"displayName":"Show audit results from Windows VMs on which the specified services are not installed - and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which the specified services are not - installed and 'Running'. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\"},{\"properties\":{\"displayName\":\"Ensure - that '.Net Framework' version is the latest, if used as a part of the API - app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + and ''Running''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines on which the specified services are not installed and ''Running''. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + that ''.Net Framework'' version is the latest, if used as a part of the API + app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1176 - Baseline Configuration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1389 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c39e6fda-ae70-4891-a739-be7bba6d1062\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1390 - Information Spillage Response | Responsible Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3b65b63-09ec-4cb5-8028-7dd324d10eb0\"},{\"properties\":{\"displayName\":\"System - updates on virtual machine scale sets should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft + Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft + Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft + Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System + updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"SystemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3f317a7-a95c-4547-b7e7-11017ebdf2fe\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: + Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40c9087-1981-4e73-9f53-39743eda9d05\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40f31a7-81e1-4130-99e5-a02ceea2a1d6\"},{\"properties\":{\"displayName\":\"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection - Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c416970d-b12b-49eb-8af4-fb144cd7c290\"},{\"properties\":{\"displayName\":\"Microsoft + Measures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection - signatures\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy audits any Windows virtual machine not configured with automatic update - of Microsoft Antimalware protection signatures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"equals\":\"Windows\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c43e4a30-77cb-48ab-a4dd-93f175c63b57\"},{\"properties\":{\"displayName\":\"[Preview]: - Container Registry should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy + audits any Windows virtual machine not configured with automatic update of + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: + Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Network\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerRegistry/registries\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4857be7-912a-4c75-87e6-e30292bcdf78\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1235 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c49c610b-ece4-44b3-988c-2172b70d6e46\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1173 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4aff9e7-2e60-46fa-86be-506b79033fc5\"},{\"properties\":{\"displayName\":\"Managed - identity should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use - a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft + Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed + identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they - reach the API app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4ebc54a-46e1-481a-bee2-d4411e95d828\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1600 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c53f3123-d233-44a7-930b-f40d3bfeb7d6\"},{\"properties\":{\"displayName\":\"An - activity log alert should exist for specific Policy operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits specific Policy operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation - Name\",\"description\":\"Policy Operation name for which activity log alert - should exist\"},\"allowedValues\":[\"Microsoft.Authorization/policyAssignments/write\",\"Microsoft.Authorization/policyAssignments/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts\",\"exists\":\"true\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Policy\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5447c04-a4d7-4ba8-a263-c9ee321a6858\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\"},{\"properties\":{\"displayName\":\"[Preview]: + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft + Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft + Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring - within the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateStorePath\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate store path\",\"description\":\"The path to the certificate store - containing the certificates to check the expiration dates of. Default value - is 'Cert:' which is the root certificate store path, so all certificates on - the machine will be checked. Other example paths: 'Cert:\\\\LocalMachine', - 'Cert:\\\\LocalMachine\\\\TrustedPublisher', 'Cert:\\\\CurrentUser'\"},\"defaultValue\":\"Cert:\"},\"ExpirationLimitInDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Expiration limit in days\",\"description\":\"An integer indicating the number + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' + which is the root certificate store path, so all certificates on the machine + will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will - cause this policy to be non-compliant.\"},\"defaultValue\":\"30\"},\"CertificateThumbprintsToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints to include\",\"description\":\"A semicolon-separated - list of certificate thumbprints to check under the specified path. If a value - is not specified, all certificates under the certificate store path will be - checked. If a value is specified, no certificates other than those with the - thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"CertificateThumbprintsToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Certificate thumbprints to exclude\",\"description\":\"A semicolon-separated - list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"IncludeExpiredCertificates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Include expired certificates\",\"description\":\"Must be 'true' or 'false'. + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that - have expired will be be ignored.\"},\"allowedValues\":[\"true\",\"false\"],\"defaultValue\":\"false\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateStorePath', - '=', parameters('CertificateStorePath'), ',', '[CertificateStore]CertificateStore1;ExpirationLimitInDays', - '=', parameters('ExpirationLimitInDays'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', - '=', parameters('CertificateThumbprintsToInclude'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude', - '=', parameters('CertificateThumbprintsToExclude'), ',', '[CertificateStore]CertificateStore1;IncludeExpiredCertificates', - '=', parameters('IncludeExpiredCertificates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"CertificateExpiration\"},\"CertificateStorePath\":{\"value\":\"[parameters('CertificateStorePath')]\"},\"ExpirationLimitInDays\":{\"value\":\"[parameters('ExpirationLimitInDays')]\"},\"CertificateThumbprintsToInclude\":{\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},\"CertificateThumbprintsToExclude\":{\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},\"IncludeExpiredCertificates\":{\"value\":\"[parameters('IncludeExpiredCertificates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateStorePath\":{\"type\":\"string\"},\"ExpirationLimitInDays\":{\"type\":\"string\"},\"CertificateThumbprintsToInclude\":{\"type\":\"string\"},\"CertificateThumbprintsToExclude\":{\"type\":\"string\"},\"IncludeExpiredCertificates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1670 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6108469-57ee-4666-af7e-79ba61c7ae0c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1190 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c66a3d1e-465b-4f28-9da5-aef701b59892\"},{\"properties\":{\"displayName\":\"Microsoft + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', + ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', + ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', + ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft + Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft + Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration - / Scanning And Monitoring Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c69b870e-857b-458b-af02-bb234f7a00d3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1125 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1619 - Information In Shared Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c722e569-cb52-45f3-a643-836547d016e1\"},{\"properties\":{\"displayName\":\"Microsoft + / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft + Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft + Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation - With Physical Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\"},{\"properties\":{\"displayName\":\"Authentication - should be enabled on your Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before - they reach the Function app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"equals\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1353 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c785ad59-f78f-44ad-9a7f-d1202318c748\"},{\"properties\":{\"displayName\":\"Email + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft + Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server - advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit - that 'email notification to admins and subscription owners' is enabled in + advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Batch Account to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c84e5349-db6d-4769-805e-e14037dab9b5\"},{\"properties\":{\"displayName\":\"[Deprecated]: - API App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: + API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForApiApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1470 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c89ba09f-2e0f-44d0-8095-65b05bd151ef\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Interactive Logon'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8abcef9-fc26-482f-b8db-5fa60ee4586d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1018 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9121abf-e698-4ee9-b1cf-71ee528ff07f\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Data Lake Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + category: ''Security Options - Interactive Logon''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic + logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data - Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c95c74d9-38fe-4f0d-af86-0c7d626a315c\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'User Rights Assignment'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c961dac9-5916-42e8-8fb1-703148323994\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''User Rights Assignment''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPendingReboot\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c96f3246-4382-4264-bf6b-af0b35e23c3c\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c","type":"Microsoft.Authorization/policyDefinitions","name":"c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. - A storage account with name '{storagePrefixParameter}{NSGLocation}' will be - automatically created.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"storagePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Storage - Account Prefix for Regional Storage Account\",\"description\":\"This prefix - will be combined with the network security group location to form the created - storage account name.\"}},\"rgName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource - Group Name for Storage Account (must exist)\",\"description\":\"The resource - group that the storage account will be created in. This resource group must - already exist.\",\"strongType\":\"ExistingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"setbypolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"},\"nsgName\":{\"type\":\"string\"},\"rgName\":{\"type\":\"string\"}},\"variables\":{\"storageDeployName\":\"[concat('policyStorage_', - uniqueString(parameters('location'), parameters('nsgName')))]\"},\"resources\":[{\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\"name\":\"[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]\",\"apiVersion\":\"2017-05-01-preview\",\"location\":\"[parameters('location')]\",\"dependsOn\":[\"[variables('storageDeployName')]\"],\"properties\":{\"storageAccountId\":\"[reference(variables('storageDeployName')).outputs.storageAccountId.value]\",\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}}]}},{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('storageDeployName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('rgName')]\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-06-01\",\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[concat(parameters('storageprefix'), - parameters('location'))]\",\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"Storage\",\"location\":\"[parameters('location')]\",\"tags\":{\"created-by\":\"policy\"},\"scale\":null,\"properties\":{\"networkAcls\":{\"bypass\":\"AzureServices\",\"defaultAction\":\"Allow\",\"ipRules\":[],\"virtualNetworkRules\":[]},\"supportsHttpsTrafficOnly\":true}}],\"outputs\":{\"storageAccountId\":{\"type\":\"string\",\"value\":\"[resourceId(parameters('rgName'), - 'Microsoft.Storage/storageAccounts',concat(parameters('storagePrefix'), parameters('location')))]\"}}}}}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"},\"nsgName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\"},{\"properties\":{\"displayName\":\"Storage - accounts should allow access from trusted Microsoft services\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Some + A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + Account Prefix for Regional Storage Account","description":"This prefix will + be combined with the network security group location to form the created storage + account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource + Group Name for Storage Account (must exist)","description":"The resource group + that the storage account will be created in. This resource group must already + exist.","strongType":"ExistingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/networkSecurityGroups"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"setbypolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"},"nsgName":{"type":"string"},"rgName":{"type":"string"}},"variables":{"storageDeployName":"[concat(''policyStorage_'', + uniqueString(parameters(''location''), parameters(''nsgName'')))]"},"resources":[{"type":"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings","name":"[concat(parameters(''nsgName''),''/Microsoft.Insights/setbypolicy'')]","apiVersion":"2017-05-01-preview","location":"[parameters(''location'')]","dependsOn":["[variables(''storageDeployName'')]"],"properties":{"storageAccountId":"[reference(variables(''storageDeployName'')).outputs.storageAccountId.value]","logs":[{"category":"NetworkSecurityGroupEvent","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"NetworkSecurityGroupRuleCounter","enabled":true,"retentionPolicy":{"enabled":false,"days":0}}]}},{"apiVersion":"2017-05-10","name":"[variables(''storageDeployName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''rgName'')]","properties":{"mode":"incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"}},"resources":[{"apiVersion":"2017-06-01","type":"Microsoft.Storage/storageAccounts","name":"[concat(parameters(''storageprefix''), + parameters(''location''))]","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"[parameters(''location'')]","tags":{"created-by":"policy"},"scale":null,"properties":{"networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[],"virtualNetworkRules":[]},"supportsHttpsTrafficOnly":true}}],"outputs":{"storageAccountId":{"type":"string","value":"[resourceId(parameters(''rgName''), + ''Microsoft.Storage/storageAccounts'',concat(parameters(''storagePrefix''), + parameters(''location'')))]"}}}}}]},"parameters":{"location":{"value":"[field(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"},"rgName":{"value":"[parameters(''rgName'')]"},"nsgName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","type":"Microsoft.Authorization/policyDefinitions","name":"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89"},{"properties":{"displayName":"Storage + accounts should allow access from trusted Microsoft services","policyType":"BuiltIn","mode":"Indexed","description":"Some Microsoft services that interact with storage accounts operate from networks - that can't be granted access through network rules. To help this type of service - work as intended, allow the set of trusted Microsoft services to bypass the - network rules. These services will then use strong authentication to access - the storage account.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"exists\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"notContains\":\"AzureServices\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9d007d0-c057-4772-b18c-01e546713bcd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1035 - Least Privilege | Authorize Access To Security Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca94b046-45e2-444f-a862-dc8ce262a516\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1243 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca9a4469-d6df-4ab2-a42f-1213c396f0ec\"},{\"properties\":{\"displayName\":\"Microsoft + that can''t be granted access through network rules. To help this type of + service work as intended, allow the set of trusted Microsoft services to bypass + the network rules. These services will then use strong authentication to access + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft + Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft + Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. - Access To Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote + debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb510bfd-1cba-4d9f-a230-cb0976f4bb71\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1486 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb790345-a51f-43de-934e-98dbfaf9dca5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1167 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cbb2be76-4891-430b-95a7-ca0b0a3d1300\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1374 - Incident Response Assistance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc5c8616-52ef-4e5e-8000-491634ed9249\"},{\"properties\":{\"displayName\":\"Show + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft + Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft + Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft + Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not - contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc7cda28-f867-4311-8497-a526129a8d19\"},{\"properties\":{\"displayName\":\"[Preview]: - Sensitive data in your SQL databases should be classified\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedInstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlDataClassification\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\"},{\"properties\":{\"displayName\":\"Allowed - virtual machine SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of SKUs that can be specified for virtual machines.\",\"displayName\":\"Allowed - SKUs\",\"strongType\":\"VMSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"field\":\"Microsoft.Compute/virtualMachines/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cccc23c7-8427-4f53-ad12-b6a63eb452b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1443 - Media Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\"},{\"properties\":{\"displayName\":\"Inherit - a tag from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + list of SKUs that can be specified for virtual machines.","displayName":"Allowed + SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft + Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit + a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[resourceGroup().tags[parameters('tagName')]]\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd3aa116-8754-49c9-a813-ad46512ece54\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation if 'department' tag set\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation only if the 'department' tag is set\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags\",\"containsKey\":\"department\"}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd8dc879-a2ae-43c3-8211-1877c5755064\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1582 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs that allow re-use of the previous 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdbf72d9-ac9c-4026-8a3a-491a5ac59293\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1104 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdd8d244-18b2-4306-a1d1-df175ae0935f\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - Privilege Use'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce2370f6-0ac5-4d85-8ab4-10721cc640b0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1209 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce669c31-9103-4552-ae9c-cdef4e03580d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1242 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3b3293-667a-445e-a722-fa0b0afc0958\"},{\"properties\":{\"displayName\":\"Microsoft + with non-compliant settings in Group Policy category: ''System Audit Policies + - Privilege Use''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft + Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft + Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications - And Anomalous System Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3e4836-f19e-47eb-a8cd-c3ca150452c0\"},{\"properties\":{\"displayName\":\"Microsoft + And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate - Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf55fc87-48e1-4676-a2f8-d9a8cf993283\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Key Vault should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf820ca0-f99e-4f3e-84fb-66e913812d21\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using - Sampling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d03516cf-0293-489f-9b32-a18f2a79f836\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1724 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d07594d1-0307-4c08-94db-5d71ff31f0f6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1084 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\"},{\"properties\":{\"displayName\":\"Add - or replace a tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft + Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft + Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add + or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d157c373-a6c4-483d-aaad-570756956268\"},{\"properties\":{\"displayName\":\"Enforce - SSL connection should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag + Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","type":"Microsoft.Authorization/policyDefinitions","name":"d157c373-a6c4-483d-aaad-570756956268"},{"properties":{"displayName":"Enforce + SSL connection should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps - protect against 'man-in-the-middle' attacks by encrypting the data stream - between the server and your application\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d158790f-bfb0-486c-8631-2dc6b4e8e6af\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1620 - Denial Of Service Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d17c826b-1dec-43e1-a984-7b71c446649c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1880188-e51a-4772-b2ab-68f5e8bd27f6\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Function Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + protect against ''man-in-the-middle'' attacks by encrypting the data stream + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft + Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft + Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\"},{\"properties\":{\"displayName\":\"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1e1d65c-1013-4484-bd54-991332e6a0d2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1721 - Spam Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1106 - Audit Events | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d2b4feae-61ab-423f-a4c5-0e38ac4464d8\"},{\"properties\":{\"displayName\":\"Microsoft + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft + Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft + Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation - Of Information Flows\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3531453-b869-4606-9122-29c1cd6e7ed1\"},{\"properties\":{\"displayName\":\"[Preview]: + Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is - not compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDscConfiguration\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38b4c26-9d2e-47d7-aefe-18d859a8706a\"},{\"properties\":{\"displayName\":\"Long-term - geo-redundant backup should be enabled for Azure SQL Databases\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies\",\"name\":\"default\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention\",\"notEquals\":\"PT0S\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38fc420-0735-4ef3-ac11-c806f651a570\"},{\"properties\":{\"displayName\":\"Microsoft + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic - Or Alternate Physical Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d39d4f68-7346-4133-8841-15318a714a24\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1249 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3bf4251-0818-42db-950b-afd5b25a51c2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1562 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4142013-7964-4163-a313-a900301c2cef\"},{\"properties\":{\"displayName\":\"Virtual - machines should be connected to an approved virtual network\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft + Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft + Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual + machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The - effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"virtualNetworkId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual - network Id\",\"description\":\"Resource Id of the virtual network. Example: - /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id\",\"like\":\"[concat(parameters('virtualNetworkId'),'/*')]\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d416745a-506c-48b6-8ab1-83cb814bcaa3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1383 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4558451-e16a-4d2d-a066-fe12a6282bb9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1112 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d530aad8-4ee2-45f4-b234-c061dae683c0\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual + network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft + Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft + Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics workspace\",\"description\":\"Select Log Analytics workspace from - dropdown list. If this workspace is outside of the scope of the assignment - you must manually grant 'Log Analytics Contributor' permissions (or similar) - to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1585 - Security Engineering Principles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d57f8732-5cdc-4cda-8d27-ab148e1f3a55\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1667 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d61880dc-6e38-4f2a-a30c-3406a98f8220\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1150 - Security Assessments | External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d630429d-e763-40b1-8fba-d20ba7314afb\"},{\"properties\":{\"displayName\":\"Event - Hub should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft + Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft + Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft + Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event + Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d63edb4a-c612-454d-b47d-191a724fcbf0\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1549 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d6976a08-d969-4df2-bb38-29556c2eb48a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1473 - Emergency Power\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7047705-d719-46a7-8bb0-76ad233eba71\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1529 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d74fdc92-1cb8-4a34-9978-8556425cd14c\"},{\"properties\":{\"displayName\":\"Microsoft + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft + Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft + Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft + Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) - | Use Of FICAM-Issued Profiles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d77fd943-6ba6-4a21-ba07-22b03e347cc4\"},{\"properties\":{\"displayName\":\"Show + | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not - enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows Server virtual machines on which Windows Serial Console is - not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7ccd0ca-8d78-42af-a43d-6b7f928accbc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1016 - Account Management | Automated Audit Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8b43277-512e-40c3-ab00-14b3b6e72238\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1488 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8ef30eb-a44f-47af-8524-ac19a36d41d2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d922484a-8cfc-4a6b-95a4-77d6a685407f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1271 - Alternate Storage Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3bfb53-9c46-4010-b3db-a7ba1296dada\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1516 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3cd269-156f-435b-b472-c3af34c032ed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Batch Account to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + enabled","policyType":"BuiltIn","mode":"All","description":"This policy should + only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + Server virtual machines on which Windows Serial Console is not enabled. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft + Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft + Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft + Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft + Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"db51110f-0865-4a6e-b274-e2e07a5b2cd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1277 - Alternate Processing Site | Priority Of Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dc43e829-3d50-4a0a-aa0f-428d551862aa\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1439 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dce72873-c5f1-47c3-9b4f-6b8207fd5a45\"},{\"properties\":{\"displayName\":\"Microsoft + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft + Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft + Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related - Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd280d4b-50a1-42fb-a479-ece5878acf19\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd2ea520-6b06-45c3-806e-ea297c23e06a\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'System Audit Policies - - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''System Audit Policies + - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'System Audit Policies - Policy Change'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd4680ed-0559-4a6a-ad10-081d14cbb484\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''System Audit Policies - Policy Change''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated - Response To Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd469ae0-71a8-4adc-aafc-de6949ca3339\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1678 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd533cb0-b416-4be7-8e86-4d154824dfd7\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1391 - Information Spillage Response | Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd6ac1a1-660e-4810-baa8-74e868e2ed47\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1146 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd83410c-ecb6-4547-8f14-748c3cbdc7ac\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1602 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddae2e97-a449-499f-a1c8-aea4a7e52ec9\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Settings - - Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft + Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft + Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft + Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft + Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Settings + - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Settings - Account Policies'. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddb53c61-9db4-41d4-a953-2abff5b66c12\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + category: ''Security Settings - Account Policies''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Recovery console'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Options - + Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Recovery console: Allow floppy copy and access to all drives and all folders\",\"description\":\"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue', - '=', parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsRecoveryconsole\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1689 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"de901f2f-a01a-4456-97f0-33cda7966172\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1528 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"deb9797c-22f8-40e8-b342-a84003c924e6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dff0b90d-5a6f-491c-b2f8-b90aa402d844\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows - resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e01598e8-6538-41ed-95e8-8b29746cd697\"},{\"properties\":{\"displayName\":\"Cosmos - DB should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft + Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft + Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft + Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: + Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos + DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},{\"field\":\"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\"},{\"properties\":{\"displayName\":\"Microsoft + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / - Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0de232d-02a0-4652-872d-88afb4ae5e91\"},{\"properties\":{\"displayName\":\"Deploy + Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows - PowerShell execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ExecutionPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell - Execution Policy\",\"description\":\"The expected PowerShell execution policy.\"},\"allowedValues\":[\"AllSigned\",\"Bypass\",\"Default\",\"RemoteSigned\",\"Restricted\",\"Undefined\",\"Unrestricted\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy', - '=', parameters('ExecutionPolicy')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellExecutionPolicy\"},\"ExecutionPolicy\":{\"value\":\"[parameters('ExecutionPolicy')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ExecutionPolicy\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0efc13a-122a-47c5-b817-2ccfe5d12615\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated - Notifications Of Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e12494fa-b81e-4080-af71-7dbacc2da0ec\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1686 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e17085c5-0be8-4423-b39b-a52d3d1402e5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1722 - Spam Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1da06bd-25b6-4127-a301-c313d6873fff\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in security configuration on your machines should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft + Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft + Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities + in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"osVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1047 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1276 - Alternate Processing Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e214e563-1206-4a43-a56b-ac5880c9c571\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1560 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e29e0915-5c2f-4d09-8806-048b749ad763\"},{\"properties\":{\"displayName\":\"Ensure - that 'HTTP Version' is the latest, if used to run the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft + Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft + Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft + Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure + that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2c1c086-2d84-4019-bff3-c44ccd95113c\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: + Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Optional: - List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example - value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2dd799a-a932-4e9d-ac17-d473bc3c6c10\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1161 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1387 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3007185-3857-43a9-8237-06ca94f1084c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1479 - Fire Protection | Automatic Fire Suppression\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e327b072-281d-4f75-9c28-4216e5d72f26\"},{\"properties\":{\"displayName\":\"Azure - VPN gateways should not use 'basic' SKU\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy ensures that VPN gateways do not use 'basic' SKU.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworkGateways\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/gatewayType\",\"equals\":\"Vpn\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/sku.tier\",\"equals\":\"Basic\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\"},{\"properties\":{\"displayName\":\"MFA - should be enabled on accounts with read permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft + Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft + Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft + Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure + VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3576e28-8b17-4677-84c3-db2990658d64\"},{\"properties\":{\"displayName\":\"RDP - access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits any network security rule that allows RDP access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"3389\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), - contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), - contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), - '-'))))),3389), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), - contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), - contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), - '-'))))),3389), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e372f825-a257-4fb8-9175-797a8a8627d6\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Shutdown'. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3a77a94-cf41-4ee8-b45c-98be28841c03\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - - Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines with non-compliant settings in Group Policy category: ''Security + Options - Shutdown''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings + - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Settings - - Account Policies'. It also creates a system-assigned managed identity and + with non-compliant settings in Group Policy category: ''Security Settings + - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnforcePasswordHistory\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Enforce password history\",\"description\":\"Specifies limits on password - reuse - how many times a new password must be created for a user account before - the password can be repeated.\"},\"defaultValue\":\"24\"},\"MaximumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Maximum password age\",\"description\":\"Specifies the maximum number of days + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days that may elapse before a user account password must be changed. The format - of the value is two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,70\"},\"MinimumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum password age\",\"description\":\"Specifies the minimum number of days - that must elapse before a user account password can be changed.\"},\"defaultValue\":\"1\"},\"MinimumPasswordLength\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum password length\",\"description\":\"Specifies the minimum number of - characters that a user account password may contain.\"},\"defaultValue\":\"14\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Password must meet complexity requirements\",\"description\":\"Specifies whether + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether a user account password must be complex. If required, a complex password must - not contain part of user's account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enforce - password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), - ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), - ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), - ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), - ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecuritySettingsAccountPolicies\"},\"EnforcePasswordHistory\":{\"value\":\"[parameters('EnforcePasswordHistory')]\"},\"MaximumPasswordAge\":{\"value\":\"[parameters('MaximumPasswordAge')]\"},\"MinimumPasswordAge\":{\"value\":\"[parameters('MinimumPasswordAge')]\"},\"MinimumPasswordLength\":{\"value\":\"[parameters('MinimumPasswordLength')]\"},\"PasswordMustMeetComplexityRequirements\":{\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnforcePasswordHistory\":{\"type\":\"string\"},\"MaximumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordLength\":{\"type\":\"string\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce - password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum - password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum - password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum - password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password - must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce - password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum - password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum - password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum - password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password - must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3d95ab7-f47a-49d8-a347-784177b6c94c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1451 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3f1e5a3-25c1-4476-8cb6-3955031f8e65\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1357 - Incident Response Training | Automated Training Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e4213689-05e8-4241-9d4e-8dd1cdafd105\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), + '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), + '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), + '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), + '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft + Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft + Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - User Account Control'. It also creates a system-assigned managed identity + with non-compliant settings in Group Policy category: ''Security Options - + User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Admin Approval Mode for the Built-in Administrator account\",\"description\":\"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account.\"},\"defaultValue\":\"1\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: UAC: Behavior of the elevation prompt for administrators in Admin Approval - Mode\",\"description\":\"Specifies the behavior of the elevation prompt for - administrators.\"},\"defaultValue\":\"2\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Detect application installations and prompt for elevation\",\"description\":\"Specifies - the behavior of application installation detection for the computer.\"},\"defaultValue\":\"1\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - UAC: Run all administrators in Admin Approval Mode\",\"description\":\"Specifies - the behavior of all User Account Control (UAC) policy settings for the computer.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', - '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), - ',', 'User Account Control: Behavior of the elevation prompt for administrators - in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), - ',', 'User Account Control: Detect application installations and prompt for - elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), - ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', - '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsUserAccountControl\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"string\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"string\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"string\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', + ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), + '','', ''User Account Control: Behavior of the elevation prompt for administrators + in Admin Approval Mode;ExpectedValue'', ''='', parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode''), + '','', ''User Account Control: Detect application installations and prompt + for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), + '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin - Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User - Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User - Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin - Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User - Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e425e402-a050-45e5-b010-bd3f934589fc\"},{\"properties\":{\"displayName\":\"Microsoft + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted - Static Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e51ff84b-e5ea-408f-b651-2ecc2933e4c6\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1381 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5368258-9684-4567-8126-269f34e65eab\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1421 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e539caaa-da8c-41b8-9e1e-449851e2f7a6\"},{\"properties\":{\"displayName\":\"Microsoft + Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft + Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft + Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration - Of Detection And Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e54c325e-42a0-4dcf-b105-046e0f6f590f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1023 - Account Management | Usage Conditions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\"},{\"properties\":{\"displayName\":\"Allowed - locations\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy enables you to restrict the locations your organization can specify - when deploying resources. Use to enforce your geo-compliance requirements. - Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and - resources that use the 'global' region.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources.\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"},{\"field\":\"location\",\"notEquals\":\"global\"},{\"field\":\"type\",\"notEquals\":\"Microsoft.AzureActiveDirectory/b2cDirectories\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e56962a6-4747-49cd-b67b-bf8b01975c4c\"},{\"properties\":{\"displayName\":\"Microsoft + Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft + Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed + locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy + enables you to restrict the locations your organization can specify when deploying + resources. Use to enforce your geo-compliance requirements. Excludes resource + groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed + locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction - Recovery\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e57b98a0-a011-4956-a79d-5d17ed8b8e48\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1499 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e59671ab-9720-4ee2-9c60-170e8c82251e\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft + Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Accounts'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AccountsGuestAccountStatus\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Accounts: Guest account status\",\"description\":\"Specifies whether the local - Guest account is disabled.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Accounts: - Guest account status;ExpectedValue', '=', parameters('AccountsGuestAccountStatus')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAccounts\"},\"AccountsGuestAccountStatus\":{\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AccountsGuestAccountStatus\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: - Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: - Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5b81f87-9185-4224-bf00-9f505e9f89f3\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Applications that are not using latest supported Node.js Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: + Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestNodeJS\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e67687e8-08d5-4e7f-8226-5b4753bba008\"},{\"properties\":{\"displayName\":\"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access - To Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e6e41554-86b5-4537-9f7f-4fc41a1d1640\"},{\"properties\":{\"displayName\":\"Subnets - should be associated with a Network Security Group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets + should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnSubnets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e71308d3-144b-4262-b144-efdc3cc90517\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1567 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e72edbf6-aa61-436d-a227-0f32b77194b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1311 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7568697-0c9e-4ea3-9cec-9e567d14f3c6\"},{\"properties\":{\"displayName\":\"Advanced - Threat Protection types should be set to 'All' in SQL server Advanced Data - Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft + Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft + Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced + Threat Protection types should be set to ''All'' in SQL server Advanced Data + Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e756b945-1b1b-480b-8de8-9a0859d5f7ad\"},{\"properties\":{\"displayName\":\"Microsoft + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National - Security System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\"},{\"properties\":{\"displayName\":\"Allowed - locations for resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed + locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that resource groups can be created in.\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e765b5de-1225-4ba3-bd56-1ac6695af988\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1273 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e77fcbf2-a1e8-44f1-860e-ed6583761e65\"},{\"properties\":{\"displayName\":\"[Deprecated]: - Audit Web Sockets state for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed + locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft + Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: + Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security - Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e797f851-8be7-4c40-bb56-2e3395215b0e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1169 - Continuous Monitoring | Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7ba2cb3-5675-4468-8b50-8486bdd998a5\"},{\"properties\":{\"displayName\":\"Enforce - SSL connection should be enabled for MySQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce + SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against - 'man in the middle' attacks by encrypting the data stream between the server - and your application.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e802a67a-daf5-4436-9ea6-f6d821dd0c5d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1237 - Software Usage Restrictions | Open Source Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e80b6812-0bfa-4383-8223-cdd86a46a890\"},{\"properties\":{\"displayName\":\"Vulnerabilities - in container security configurations should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + ''man in the middle'' attacks by encrypting the data stream between the server + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft + Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities + in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachineScaleSets\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ContainerBenchmark\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8cbc669-f12d-49eb-93e7-9273119e9933\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Data Lake Storage Gen1 to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1626 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8f6bddd-6d67-439a-88d4-c5fe39a79341\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e901375c-8f01-4ac8-9183-d5312f47fe63\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1723 - Information Input Validation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e91927a0-ac1d-44a0-95f8-5185f9dfce9f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1200 - Security Impact Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e98fe9d7-2ed3-44f8-93b7-24dca69783ff\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1487 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c3371d-c30c-4f58-abd9-30b8a8199571\"},{\"properties\":{\"displayName\":\"Remote - debugging should be turned off for API Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft + Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft + Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft + Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft + Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote + debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1363 - Incident Handling | Automated Incident Handling Processes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3e8156-89a1-45b1-8bd6-938abc79fdfd\"},{\"properties\":{\"displayName\":\"Inherit - a tag from the resource group if missing\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit + a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag - Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', - parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3f2387-9b95-492a-a190-fcdc54f7b070\"},{\"properties\":{\"displayName\":\"Key - Vault should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key + Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea4d6841-2173-4317-9747-ff522a45120f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1422 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea556850-838d-4a37-8ce5-9d7642f95e11\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1542 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eab340d0-3d55-4826-a0e5-feebfeb0131d\"},{\"properties\":{\"displayName\":\"Ensure - Function app has 'Client Certificates (Incoming client certificates)' set - to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client - certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eaebaea7-8013-4ceb-9d14-7eb32271373c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1064 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1321 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb627cc6-3a9d-46b5-96b7-5fca49178a37\"},{\"properties\":{\"displayName\":\"Log - checkpoints should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft + Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure + Function app has ''Client Certificates (Incoming client certificates)'' set + to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates + allow for the app to request a certificate for incoming requests. Only clients + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft + Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft + Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log + checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_checkpoints\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\"},{\"properties\":{\"displayName\":\"Log - connections should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log + connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_connections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\"},{\"properties\":{\"displayName\":\"Disconnections - should be logged for PostgreSQL database servers.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections + should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_disconnections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\"},{\"properties\":{\"displayName\":\"Log - duration should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log + duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_duration\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\"},{\"properties\":{\"displayName\":\"Deprecated - accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated - accounts with owner permissions should be removed from your subscription. - \ Deprecated accounts are accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ebb62a0c-3560-49e1-89ed-27e074e9f8ad\"},{\"properties\":{\"displayName\":\"[Preview]: + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated + accounts with owner permissions should be removed from your subscription. Deprecated + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from - accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid110\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec49586f-4939-402d-a29e-6ff502b20592\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Administrative - Templates - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Administrative Templates - - Control Panel'. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesControlPanel\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec7ac234-2af5-4729-94d2-c557c071799d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eca4d7b2-65e2-4e04-95d4-c68606b063c3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1622 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ecf56554-164d-499a-8d00-206b07c27bed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Key Vault to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - Control Panel''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft + Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft + Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key - Vault\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vaultName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('vaultName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled - diagnostic settings for ', parameters('vaultName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"vaultName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ed7c8c13-51e7-49d1-8a43-8490431a0da2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1217 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edea4f20-b02c-4115-be75-86c080e5c0ed\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Stream Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft + Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edf3780c-3d70-40fe-b17e-ab72013dafca\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1189 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ee45e02a-4140-416c-82c4-fecfea660b9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1089 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef080e67-0d1a-4f76-a0c5-fb9b0358485e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1314 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef0c8530-efd9-45b8-b753-f03083d06295\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1128 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef212163-3bc4-4e86-bcf8-705127086393\"},{\"properties\":{\"displayName\":\"Vulnerability - assessment should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft + Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft + Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft + Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft + Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\"},{\"properties\":{\"displayName\":\"Deploy - Diagnostic Settings for Event Hub to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy + Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile - name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event - Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization - rule Id for Azure Diagnostics. The authorization rule needs to be at Event - Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - metrics\",\"description\":\"Whether to enable metrics stream to the Event - Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable - logs\",\"description\":\"Whether to enable logs stream to the Event Hub - - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), - '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1472 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef869332-921d-4c28-9402-3be73e6e50c8\"},{\"properties\":{\"displayName\":\"The - Log Analytics agent should be installed on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft + Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The + Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efbde977-ba53-4479-b8e9-10b957924fbf\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1012 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1358 - Incident Response Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"effbaeef-5bf4-400d-895e-ef8cbc0e64c7\"},{\"properties\":{\"displayName\":\"Ensure - that Register with Azure Active Directory is enabled on Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft + Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft + Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure + that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0473e7a-a1ba-4e86-afb2-e829e11b01d8\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to audit Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy + prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application - names (supports wildcards)\",\"description\":\"A semicolon-separated list - of the names of the applications that should not be installed. e.g. 'Microsoft - SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL - Server 2014*' (to match any application starting with 'Microsoft SQL Server - 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]NotInstalledApplicationResource1;Name', - '=', parameters('ApplicationName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"NotInstalledApplication\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0633351-c7b2-41ff-9981-508fc08553c2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1531 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0643e0c-eee5-4113-8684-c608d05c5236\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1028 - Information Flow Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f171df5c-921b-41e9-b12b-50801c315475\"},{\"properties\":{\"displayName\":\"Virtual - networks should use specified virtual network gateway\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + names (supports wildcards)","description":"A semicolon-separated list of the + names of the applications that should not be installed. e.g. ''Microsoft SQL + Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft + Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest + TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft + Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual + networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"virtualNetworkGatewayId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual - network gateway Id\",\"description\":\"Resource Id of the virtual network - gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Network/virtualNetworks/subnets\",\"name\":\"GatewaySubnet\",\"existenceCondition\":{\"not\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id\",\"notContains\":\"[concat(parameters('virtualNetworkGatewayId'), - '/')]\"}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1776c76-f58c-4245-a8d0-2b207198dc8b\"},{\"properties\":{\"displayName\":\"[Preview]: + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual + network gateway Id","description":"Resource Id of the virtual network gateway. + Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), + ''/'')]"}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","type":"Microsoft.Authorization/policyDefinitions","name":"f1776c76-f58c-4245-a8d0-2b207198dc8b"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions - set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that do not have the passwd file permissions set to 0644. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid121\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f19aa1c1-6b91-4c27-ae6a-970279f03db9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative - Templates - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + set to 0644","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Linux virtual machines that + do not have the passwd file permissions set to 0644. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative + Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Adminstrative Templates - - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Administrative Templates + - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1f4825d-58fb-4257-8016-8c00e3c9ed9d\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1701 - Information System Monitoring | Host-Based Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f25bc08f-27cb-43b6-9a23-014d00700426\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1457 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f2d9d3e6-8886-4305-865d-639163e5c305\"},{\"properties\":{\"displayName\":\"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft + Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft + Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance - Of Piv Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f355d62b-39a8-4ba3-abf7-90f71cb3b000\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1615 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\"},{\"properties\":{\"displayName\":\"Microsoft + Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft + Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business - Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3793f5e-937f-44f7-bfba-40647ef3efa0\"},{\"properties\":{\"displayName\":\"Show + Functions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not - contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b44e5d-1456-475f-9c67-c66c4618e85a\"},{\"properties\":{\"displayName\":\"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates - in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows VMs that do not contain the specified certificates in the - Trusted Root Certification Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b9ad83-000d-4dc1-bff0-6d54533dd03f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1706 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f475ee0e-f560-4c9b-876b-04a77460a404\"},{\"properties\":{\"displayName\":\"[Preview]: - Audit Log Analytics Workspace for VM - Report Mismatch\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + VMs that do not contain the specified certificates in the Trusted Root Certification + Authorities certificate store (Cert:\\LocalMachine\\Root). For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: + Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\"},\"parameters\":{\"logAnalyticsWorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log - Analytics Workspace Id that VMs should be configured for\",\"description\":\"This + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for.\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"notEquals\":\"[parameters('logAnalyticsWorkspaceId')]\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f47b5582-33ec-4c5c-87c0-b010a6b2e917\"},{\"properties\":{\"displayName\":\"Authorization - rules on the Event Hub instance should be defined\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization + rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Event Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/eventhubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/eventHubs/authorizationRules\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4826e5f-6a27-407c-ae3e-9582eb39891d\"},{\"properties\":{\"displayName\":\"[Preview]: + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity - setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not have the password complexity - setting enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f48b2913-1dc5-4834-8c72-ccc1dfd819bb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1495 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4978d0e-a596-48e7-9f8c-bbf52554ce8d\"},{\"properties\":{\"displayName\":\"[Preview]: + setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy + should only be used along with its corresponding deploy policy in an initiative. + This definition allows Azure Policy to process the results of auditing Windows + virtual machines that do not have the password complexity setting enabled. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the - specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NumberOfDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Number of days\",\"description\":\"The number of days without restart until - the machine is considered non-compliant\"},\"defaultValue\":\"12\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[MachineUpTime]MachineLastBootUpTime;NumberOfDays', - '=', parameters('NumberOfDays')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MachineLastBootUpTime\"},\"NumberOfDays\":{\"value\":\"[parameters('NumberOfDays')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NumberOfDays\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4b245d4-46c9-42be-9b1a-49e2b5b94194\"},{\"properties\":{\"displayName\":\"Deploy - Auditing on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","type":"Microsoft.Authorization/policyDefinitions","name":"f4b245d4-46c9-42be-9b1a-49e2b5b94194"},{"properties":{"displayName":"Deploy + Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"retentionDays\":{\"type\":\"String\",\"metadata\":{\"description\":\"The - value in days of the retention period (0 indicates unlimited retention)\",\"displayName\":\"Retention - days (optional, 180 days if unspecified)\"},\"defaultValue\":\"180\"},\"storageAccountsResourceGroup\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource - group name for storage accounts\",\"description\":\"Auditing writes database - events to an audit log in your Azure Storage account (a storage account will - be created in each region where a SQL Server is created that will be shared - by all servers in that region). Important - for proper operation of Auditing - do not delete or rename the resource group or the storage accounts.\",\"strongType\":\"existingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"auditRetentionDays\":{\"type\":\"string\"},\"storageAccountsResourceGroup\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"retentionDays\":\"[int(parameters('auditRetentionDays'))]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), - parameters('location'), parameters('storageAccountsResourceGroup'))]\",\"locationCode\":\"[substring(parameters('location'), - 0, 3)]\",\"storageName\":\"[tolower(concat('sqlaudit', variables('locationCode'), - variables('uniqueStorage')))]\",\"createStorageAccountDeploymentName\":\"[concat('sqlServerAuditingStorageAccount-', - uniqueString(variables('locationCode'), parameters('serverName')))]\"},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('createStorageAccountDeploymentName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('storageAccountsResourceGroup')]\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storageName\":{\"value\":\"[variables('storageName')]\"}},\"templateLink\":{\"uri\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json\",\"contentVersion\":\"1.0.0.0\"}}},{\"name\":\"[concat(parameters('serverName'), - '/Default')]\",\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"storageEndpoint\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]\",\"storageAccountAccessKey\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountKey.value]\",\"retentionDays\":\"[variables('retentionDays')]\",\"auditActionsAndGroups\":null,\"storageAccountSubscriptionId\":\"[subscription().subscriptionId]\",\"isStorageSecondaryKeyInUse\":false}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"auditRetentionDays\":{\"value\":\"[parameters('retentionDays')]\"},\"storageAccountsResourceGroup\":{\"value\":\"[parameters('storageAccountsResourceGroup')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4c68484-132f-41f9-9b6d-3e4b1cb55036\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1469 - Power Equipment And Cabling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1618 - Security Function Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f52f89aa-4489-4ec4-950e-8c96a036baa9\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'Security Options - - Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention + days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource + group name for storage accounts","description":"Auditing writes database events + to an audit log in your Azure Storage account (a storage account will be created + in each region where a SQL Server is created that will be shared by all servers + in that region). Important - for proper operation of Auditing do not delete + or rename the resource group or the storage accounts.","strongType":"existingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"Default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"auditRetentionDays":{"type":"string"},"storageAccountsResourceGroup":{"type":"string"},"location":{"type":"string"}},"variables":{"retentionDays":"[int(parameters(''auditRetentionDays''))]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + parameters(''location''), parameters(''storageAccountsResourceGroup''))]","locationCode":"[substring(parameters(''location''), + 0, 3)]","storageName":"[tolower(concat(''sqlaudit'', variables(''locationCode''), + variables(''uniqueStorage'')))]","createStorageAccountDeploymentName":"[concat(''sqlServerAuditingStorageAccount-'', + uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), + ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft + Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft + Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options + - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'Security Options - - Network Access'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''Security Options - + Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Remotely accessible registry paths\",\"description\":\"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry - key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\ProductOptions|#|System\\\\CurrentControlSet\\\\Control\\\\Server - Applications|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Remotely accessible registry paths and sub-paths\",\"description\":\"Specifies + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` - registry key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Printers|#|System\\\\CurrentControlSet\\\\Services\\\\Eventlog|#|Software\\\\Microsoft\\\\OLAP - Server|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print|#|Software\\\\Microsoft\\\\Windows - NT\\\\CurrentVersion\\\\Windows|#|System\\\\CurrentControlSet\\\\Control\\\\ContentIndex|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal - Server|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\UserConfig|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal - Server\\\\DefaultUserConfiguration|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Perflib|#|System\\\\CurrentControlSet\\\\Services\\\\SysmonLog\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Network access: Shares that can be accessed anonymously\",\"description\":\"Specifies + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network - access: Remotely accessible registry paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPaths'), - ',', 'Network access: Remotely accessible registry paths and sub-paths;ExpectedValue', - '=', parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'), - ',', 'Network access: Shares that can be accessed anonymously;ExpectedValue', - '=', parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkAccess\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"string\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network - access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network - access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network - access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network - access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network - access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56a3ab2-89d1-44de-ac0d-2ada5962e22a\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1198 - Configuration Change Control | Security Representative\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56be5c3-660b-4c61-9078-f67cf072c356\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1328 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5c66fdc-3d02-4034-9db5-ba57802609de\"},{\"properties\":{\"displayName\":\"Microsoft + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), + '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', + ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), + '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft + Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft + Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / - Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5fd629f-3075-4cae-ab53-bad65495a4ac\"},{\"properties\":{\"displayName\":\"Internet-facing - virtual machines should be protected with Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). To learn more about controlling traffic with NSGs, visit - https://aka.ms/nsg-doc\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnVirtualMachines\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1214 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f714a4e2-b580-47b6-ae8c-f2812d3750f3\"},{\"properties\":{\"displayName\":\"Microsoft + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft + Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions - / Ports / Protocols / Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f751cdb7-fbee-406b-969b-815d367cb9b3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1330 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f75cedb2-5def-4b31-973e-b69e8c7bd031\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1540 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f771f8cb-6642-45cc-9a15-8a41cd5c6977\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1449 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1506 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\"},{\"properties\":{\"displayName\":\"Show + / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft + Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft + Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft + Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft + Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell - execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + execution policy","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8036bd0-c10b-4931-86bb-94a878add855\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1705 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f82e3639-fa2b-4e06-a786-932d8379b972\"},{\"properties\":{\"displayName\":\"External - accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External + accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8456c1c-aa66-4dfb-861a-25d127b775c9\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1345 - Cryptographic Module Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1065 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f87b8085-dca9-4cf1-8f7b-9822b997797c\"},{\"properties\":{\"displayName\":\"[Preview]: - Deploy prerequisites to audit Windows VMs configurations in 'System Audit - Policies - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft + Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft + Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit + Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: 'System Audit Policies - - System'. It also creates a system-assigned managed identity and deploys + with non-compliant settings in Group Policy category: ''System Audit Policies + - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditOtherSystemEvents\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Audit Other System Events\",\"description\":\"Specifies whether audit events - are generated for Windows Firewall Service and Windows Firewall driver start - and stop events, failure events for these services and Windows Firewall Service - policy processing failures.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success - and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit - Other System Events;ExpectedValue', '=', parameters('AuditOtherSystemEvents')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesSystem\"},\"AuditOtherSystemEvents\":{\"value\":\"[parameters('AuditOtherSystemEvents')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditOtherSystemEvents\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), - toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), - '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit - Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), - toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8b0158d-4766-490f-bea0-259e52dba473\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Service Bus should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic + logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Service - Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8d36e2f-389b-4ee4-898d-21aeb69a0f45\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement - / Auditing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9012d14-e3e6-4d7b-b926-9f37b5537066\"},{\"properties\":{\"displayName\":\"Microsoft + / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert - Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9873db2-18ad-46b3-a11a-1a1f8cbf0335\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1478 - Fire Protection | Suppression Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f997df46-cfbb-4cc8-aac8-3fecdaf6a183\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1535 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9a165d2-967d-4733-8399-1074270dae2e\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1108 - Content Of Audit Records | Additional Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9ad559e-c12d-415e-9a78-e50fdd7da7ba\"},{\"properties\":{\"displayName\":\"Diagnostic - logs in Azure Stream Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft + Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft + Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft + Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic + logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Stream - Analytics\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required - retention (days)\",\"description\":\"The required diagnostic logs retention - in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingJobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9be5368-9bf5-4b84-9e0a-7850da98bb46\"},{\"properties\":{\"displayName\":\"Latest - TLS version should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade - to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App - Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9d614c5-c173-4d56-95a7-b4437057d193\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa108498-b3a8-4ffb-9e79-1107e76afad3\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1037 - Least Privilege | Network Access To Privileged Commands\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa4c2a3d-1294-41a3-9ada-0e540471e9fb\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1435 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa8d221b-d130-4637-ba16-501e666628bb\"},{\"properties\":{\"displayName\":\"Microsoft + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft + Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft + Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft + Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks - For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"facb66e0-1c48-478a-bed5-747a312323e1\"},{\"properties\":{\"displayName\":\"Deploy - prerequisites to enable Guest Configuration Policy on Linux VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy + prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforLinux\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforLinux\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), - '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1086 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb321e6f-16a0-4be3-878f-500956e309c5\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1222 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb39e62f-6bda-4558-8088-ec03d5670914\"},{\"properties\":{\"displayName\":\"[Preview]: - Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft + Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft + Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: + Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security - Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.13.4\",\"1.13.3\",\"1.13.2\",\"1.13.1\",\"1.13.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.12.6\",\"1.12.5\",\"1.12.4\",\"1.12.3\",\"1.12.2\",\"1.12.1\",\"1.12.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.11.8\",\"1.11.7\",\"1.11.6\",\"1.11.5\",\"1.11.4\",\"1.11.3\",\"1.11.2\",\"1.11.1\",\"1.11.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.10.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.9.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.8.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.7.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.6.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.5.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.4.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.3.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.2.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.1.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.0.*\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb893a29-21bb-418c-a157-e99480ec364c\"},{\"properties\":{\"displayName\":\"Storage + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage account containing the container with activity logs must be encrypted with - BYOK\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This - policy audits if the Storage account containing the container with activity - logs is encrypted with BYOK. The policy works only if the storage account - lies on the same subscription as activity logs by design. More information - on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. - \",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Insights/logProfiles\"},{\"field\":\"Microsoft.Insights/logProfiles/storageAccountId\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Storage/storageAccounts\",\"existenceScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"value\":\"[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), - subscription().Id)]\",\"equals\":\"true\"},{\"field\":\"name\",\"equals\":\"[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]\"},{\"field\":\"Microsoft.Storage/storageAccounts/encryption.keySource\",\"equals\":\"Microsoft.Keyvault\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based - \ Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fc933d22-04df-48ed-8f87-22a3773d4309\"},{\"properties\":{\"displayName\":\"[Preview]: - Show audit results from Windows VMs configurations in 'Security Options - - Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft + Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: + Show audit results from Windows VMs configurations in ''Security Options - + Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: 'Security Options - Microsoft Network Client'. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest - Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fcbc55c9-f25a-4e55-a6cb-33acb3be778b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1318 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fced5fda-3bdb-4d73-bfea-0e2c80428b66\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1543 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd00b778-b5b5-49c0-a994-734ea7bd3624\"},{\"properties\":{\"displayName\":\"Microsoft + category: ''Security Options - Microsoft Network Client''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft + Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated - Alerts And Advisories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4a2ac8-868a-4702-a345-6c896c3361ce\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1299 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4e54f7-9ab0-4bae-b6cc-457809948a89\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1627 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd73310d-76fc-422d-bda4-3a077149f179\"},{\"properties\":{\"displayName\":\"Microsoft + Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft + Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft + Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time - Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1611 - Developer-Provided Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1405 - Maintenance Tools | Inspect Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1613 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe2ad78b-8748-4bff-a924-f74dfca93f30\"},{\"properties\":{\"displayName\":\"Show - audit results from Linux VMs that do not have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft + Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft + Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show + audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest - Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fee5cb2b-9d9b-410e-afe3-2902d90d0004\"},{\"properties\":{\"displayName\":\"Vulnerabilities - on your SQL databases should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Monitor + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security - Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedinstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"feedbf84-6b99-488c-acc2-71c829aa5ffc\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ff9fbd83-1d8d-4b41-aac2-94cb44b33976\"},{\"properties\":{\"displayName\":\"Microsoft - Managed Control 1158 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft - implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory - Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fff50cf2-28eb-45b4-b378-c99412688907\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificate validity period\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the maximum validity period for certificates in months.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"maximumValidityInMonths\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The maximum validity in months\",\"description\":\"The limit to how long a - certificate may be valid for. Certificates with lengthy validity periods aren't - best practice.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths\",\"greater\":\"[parameters('maximumValidityInMonths')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a075868-4c26-42ef-914c-5bc007359560\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure containers listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft + Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: + Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate + may be valid for. Certificates with lengthy validity periods aren''t best + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedContainerPortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container ports regex\",\"description\":\"Regex representing container ports - allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerPortsRegex\":\"[parameters('allowedContainerPortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f636243-1b1c-4d50-880f-310f6199f2cb\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage allowed certificate key types\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the allowed key types for certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedKeyTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed key types\",\"description\":\"The list of allowed certificate key - types.\"},\"allowedValues\":[\"RSA\",\"RSA-HSM\",\"EC\",\"EC-HSM\"],\"defaultValue\":[\"RSA\",\"RSA-HSM\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"notIn\":\"[parameters('allowedKeyTypes')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1151cede-290b-4ba0-8b38-0ad145ac888f\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificate lifetime action triggers\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed + container ports regex","description":"Regex representing container ports allowed + in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: + Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"maximumPercentageLife\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The maximum lifetime percentage\",\"description\":\"Enter the percentage of - lifetime of the certificate when you want to trigger the policy action. For - example, to trigger a policy action at 80% of the certificate's valid life, - enter '80'.\"}},\"minimumDaysBeforeExpiry\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - The minimum days before expiry\",\"description\":\"Enter the days before expiration + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime + of the certificate when you want to trigger the policy action. For example, + to trigger a policy action at 80% of the certificate''s valid life, enter + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, - to trigger a policy action 90 days before the certificate's expiration, enter - '90'.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"less\":\"[parameters('minimumDaysBeforeExpiry')]\"}]},{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"greater\":\"[parameters('maximumPercentageLife')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ef42cb-9903-4e39-9c26-422d29570417\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce labels on pods in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + to trigger a policy action 90 days before the certificate''s expiration, enter + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"commaSeparatedListOfLabels\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Comma-separated - list of labels\",\"description\":\"A comma-separated list of labels to be - specified on Pods in Kubernetes cluster. E.g. test1,test2\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"PodEnforceLabels\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"commaSeparatedListOfLabels\":\"[parameters('commaSeparatedListOfLabels')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16c6ca72-89d2-4798-b87e-496f9de7fcb7\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated + list of labels","description":"A comma-separated list of labels to be specified + on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedServicePortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - service ports list\",\"description\":\"The list of service ports allowed in - a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml\",\"values\":{\"allowedServicePorts\":\"[parameters('allowedServicePortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"233a2a17-77ca-4fb1-9b6b-69223d272a44\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure services listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + service ports list","description":"The list of service ports allowed in a + Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml","values":{"allowedServicePorts":"[parameters(''allowedServicePortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44","type":"Microsoft.Authorization/policyDefinitions","name":"233a2a17-77ca-4fb1-9b6b-69223d272a44"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedServicePortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - service ports regex\",\"description\":\"Regex representing service ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ServiceAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedServicePortsRegex\":\"[parameters('allowedServicePortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25dee3db-6ce0-4c02-ab5d-245887b24077\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce HTTPS ingress in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed + service ports regex","description":"Regex representing service ports allowed + in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ServiceAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedServicePortsRegex":"[parameters(''allowedServicePortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077","type":"Microsoft.Authorization/policyDefinitions","name":"25dee3db-6ce0-4c02-ab5d-245887b24077"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce HTTPS ingress in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"HttpsIngressOnly\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce internal load balancers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\"},{\"properties\":{\"displayName\":\"[Preview]: + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes - cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedContainerPortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - container ports list\",\"description\":\"The list of container ports allowed - in a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml\",\"values\":{\"allowedContainerPorts\":\"[parameters('allowedContainerPortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"440b515e-a580-421e-abeb-b159a61ddcbc\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Enforce labels on pods in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + container ports list","description":"The list of container ports allowed in + a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"labelsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"List - of labels\",\"description\":\"The list of labels to be specified on Pods in - a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml\",\"values\":{\"labels\":\"[parameters('labelsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46592696-4c7b-4bf3-9e45-6c2763bdc0a6\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Ensure only allowed container images in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + of labels","description":"The list of labels to be specified on Pods in a + Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml","values":{"labels":"[parameters(''labelsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6","type":"Microsoft.Authorization/policyDefinitions","name":"46592696-4c7b-4bf3-9e45-6c2763bdc0a6"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container images regex\",\"description\":\"Regex representing container images + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images - is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedImages\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f86cb6e-c4da-441b-807c-44bd0cc14e66\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Do not allow privileged containers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedImages","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66","type":"Microsoft.Authorization/policyDefinitions","name":"5f86cb6e-c4da-441b-807c-44bd0cc14e66"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Do not allow privileged containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerNoPrivilege\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates issued by an integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: + Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedCAs\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed Azure Key Vault Supported CAs\",\"description\":\"The list of allowed - certificate authorities supported by Azure Key Vault.\"},\"allowedValues\":[\"DigiCert\",\"GlobalSign\"],\"defaultValue\":[\"DigiCert\",\"GlobalSign\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.name\",\"notIn\":\"[parameters('allowedCAs')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e826246-c976-48f6-b03e-619bb92b3d82\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Do not allow privileged containers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95edb821-ddaf-4404-9732-666045e056b4\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates issued by a non-integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: + Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"caCommonName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - The common name of the certificate authority\",\"description\":\"The common - name (CN) of the Certificate Authority (CA) provider. For example, for an - issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName\",\"notContains\":\"[parameters('caCommonName')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a22f4a40-01d3-4c7d-8071-da157eeff341\"},{\"properties\":{\"displayName\":\"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers - in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerResourceLimits\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2d3ed81-8d11-4079-80a5-1faadc0024f4\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce internal load balancers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"LoadBalancersInternal\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a74d8f00-2fd9-4ce4-968e-0ee1eb821698\"},{\"properties\":{\"displayName\":\"[Preview]: + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes - cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fd3e59-6390-4f2b-8247-ea676bd03e2d\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage allowed curve names for elliptic curve cryptography certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: + Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"allowedECNames\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: - Allowed elliptic curve names\",\"description\":\"The list of allowed curve - names for elliptic curve cryptography certificates.\"},\"allowedValues\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"],\"defaultValue\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"EC\",\"EC-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName\",\"notIn\":\"[parameters('allowedECNames')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd78111f-4953-4367-9fd5-7e08808b54bf\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage minimum key size for RSA certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This - policy manages the minimum key size for RSA certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"minimumRSAKeySize\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - Minimum RSA key size\",\"description\":\"The minimum key size for RSA certificates.\"},\"allowedValues\":[2048,3072,4096]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"RSA\",\"RSA-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize\",\"less\":\"[parameters('minimumRSAKeySize')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cee51871-e572-4576-855c-047c820360f0\"},{\"properties\":{\"displayName\":\"[Limited - Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes - service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"UniqueIngressHostnames\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d011d9f7-ba32-4005-b727-b3d09371ca60\"},{\"properties\":{\"displayName\":\"[Preview]: + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes + service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed - the specified limits in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"cpuLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Max - allowed CPU units\",\"description\":\"The maximum CPU units allowed for a - container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"memoryLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Max - allowed memory bytes\",\"description\":\"The maximum memory bytes allowed - for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml\",\"values\":{\"cpuLimit\":\"[parameters('cpuLimit')]\",\"memoryLimit\":\"[parameters('memoryLimit')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345eecc-fa47-480f-9e88-67dcc122b164\"},{\"properties\":{\"displayName\":\"[Preview]: - Manage certificates that are within a specified number of days of expiration\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + allowed CPU units","description":"The maximum CPU units allowed for a container. + E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max + allowed memory bytes","description":"The maximum memory bytes allowed for + a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: + Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key - Vault\",\"preview\":true},\"parameters\":{\"daysToExpire\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: - Days to expire\",\"description\":\"The number of days for a certificate to - expire.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: - Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn\",\"lessOrEquals\":\"[addDays(utcNow(), - parameters('daysToExpire'))]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f772fb64-8e40-40ad-87bc-7706e1949427\"},{\"properties\":{\"displayName\":\"[Preview]: - [AKS Engine] Ensure only allowed container images in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: + [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\"},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed - container images regex\",\"description\":\"Regex representing container images + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images - is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable - or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS - Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml\",\"values\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"febd0533-8e55-448f-b837-bd0e06f16469\"},{\"properties\":{\"displayName\":\"Audit - virtual machines without disaster recovery configured\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"test\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:21:49.7174918Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c510c21-8404-40b2-a351-73e881e707dc\"},{\"properties\":{\"displayName\":\"zhoxing_test_new_policy_test_length_exceed_name\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"\u6D4B\u8BD5\u4E00\u4E0B\u540D\u5B57\u8D85\u957F\u7684\u7B56\u7565\u54E6\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:14:59.2983062Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8720f898-d316-4608-b43d-203ce23c2a8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8720f898-d316-4608-b43d-203ce23c2a8d\"},{\"properties\":{\"displayName\":\"test_policy6iqdav32l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:20:01.1577308Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy4zz266ek6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy4zz266ek6\"},{\"properties\":{\"displayName\":\"test_policybsix632z6\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T03:24:37.437303Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy57hfk7oid\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy57hfk7oid\"},{\"properties\":{\"displayName\":\"test_policy3ulbefgq5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy5rxcsbgyu\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy5rxcsbgyu\"},{\"properties\":{\"displayName\":\"test_policy66vwzao4g\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:12:26.4310804Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy63bzujayf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy63bzujayf\"},{\"properties\":{\"displayName\":\"test_policyvrud2j572\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6rmvrx2ug\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6rmvrx2ug\"},{\"properties\":{\"displayName\":\"test_policyqr33lcjpy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:02:21.3055647Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6vduv5kcq\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6vduv5kcq\"},{\"properties\":{\"displayName\":\"test_policyeezgnn3tf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy72fpbk6om\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy72fpbk6om\"},{\"properties\":{\"displayName\":\"test_policylzld56g3c\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy75lhjp2qz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy75lhjp2qz\"},{\"properties\":{\"displayName\":\"test_policyac3dg2mjn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:20:41.768722Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7nfzu5aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy7nfzu5aac\"},{\"properties\":{\"displayName\":\"test_policy4leaozaze\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyafjaspbln\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyafjaspbln\"},{\"properties\":{\"displayName\":\"test_policytz5xijuco\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed - locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyaip6dvuui\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyaip6dvuui\"},{\"properties\":{\"displayName\":\"test_policyk2ipvteje\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policycc24wg2ai\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policycc24wg2ai\"},{\"properties\":{\"displayName\":\"test_policy3fqevgg5o\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T07:30:30.8196821Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of locations that can be specified - when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyda63cvhit\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyda63cvhit\"},{\"properties\":{\"displayName\":\"test_policytxax3vq3l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:13:20.7569455Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyeal5hjxel\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyeal5hjxel\"},{\"properties\":{\"displayName\":\"test_policynek2j6dvx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyebyt2or2s\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyebyt2or2s\"},{\"properties\":{\"displayName\":\"test_policyo57mbgttt\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf4gvztvgz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyf4gvztvgz\"},{\"properties\":{\"displayName\":\"test_policyry7ktdqpn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfneqctrjx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfneqctrjx\"},{\"properties\":{\"displayName\":\"test_policyhproaqyb2\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T07:55:49.8973296Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfo7wr4vix\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfo7wr4vix\"},{\"properties\":{\"displayName\":\"test_policyfufe2htyd\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:17:08.3329915Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyftxdxfati\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyftxdxfati\"},{\"properties\":{\"displayName\":\"test_policypq5w4fcp5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhavmopeay\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhavmopeay\"},{\"properties\":{\"displayName\":\"test_policyzhxn622hb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhb6kmyq63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhb6kmyq63\"},{\"properties\":{\"displayName\":\"test_policyzbi2xb6y7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyismcbfzwf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyismcbfzwf\"},{\"properties\":{\"displayName\":\"test_policyyulsilxiw\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjp2hqpyxg\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyjp2hqpyxg\"},{\"properties\":{\"displayName\":\"test_policy3b7x23vtu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:09:59.3205891Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyk7i5cvli7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyk7i5cvli7\"},{\"properties\":{\"displayName\":\"test_policykr5rg52qb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-20T07:02:32.8430887Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyko7fuaryl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyko7fuaryl\"},{\"properties\":{\"displayName\":\"test_policym7v6bzkep\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyl5e3igsku\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyl5e3igsku\"},{\"properties\":{\"displayName\":\"test_policyr5ivz4uoy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policylw4dif6k4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policylw4dif6k4\"},{\"properties\":{\"displayName\":\"test_policytbp7jr4ui\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:32:31.9256236Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyma7xpif5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyma7xpif5f\"},{\"properties\":{\"displayName\":\"test_policyltbuxqxmj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:01:18.5679417Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymhawrsfdj\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymhawrsfdj\"},{\"properties\":{\"displayName\":\"test_policyp2yhkolhg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymxx4vzibo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymxx4vzibo\"},{\"properties\":{\"displayName\":\"test_policyt252aa3in\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyose3kehj3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyose3kehj3\"},{\"properties\":{\"displayName\":\"test_policyg5g7wrd63\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqcexugiyb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqcexugiyb\"},{\"properties\":{\"displayName\":\"test_policyrhqz2lkr7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:06:49.1738752Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqsscwoy4k\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqsscwoy4k\"},{\"properties\":{\"displayName\":\"test_policyfn5bvohrv\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-15T07:02:13.594025Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr45j67nyp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr45j67nyp\"},{\"properties\":{\"displayName\":\"test_policygciiyb5ye\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:07:22.3409618Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr7fhjcb3r\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr7fhjcb3r\"},{\"properties\":{\"displayName\":\"test_policy2k3hcktfx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:18:07.741136Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrnepsjpsa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrnepsjpsa\"},{\"properties\":{\"displayName\":\"test_policy5u5ook2zf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrs5zxfokx\"},{\"properties\":{\"displayName\":\"test_policyepxuvmnrs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrtseayuym\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrtseayuym\"},{\"properties\":{\"displayName\":\"test_policyeglfwi2os\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrzih7n7ws\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrzih7n7ws\"},{\"properties\":{\"displayName\":\"test_policyrjb7ausww\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-26T07:06:57.89264Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysh2ld2fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policysh2ld2fbf\"},{\"properties\":{\"displayName\":\"test_policyeop2lxcb7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytaxuus2zo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytaxuus2zo\"},{\"properties\":{\"displayName\":\"test_policyx5a3znshs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T09:10:23.421479Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations\",\"description\":\"The list of locations that can be specified - when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytl5ocnpv2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytl5ocnpv2\"},{\"properties\":{\"displayName\":\"test_policymichd2ukj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytrkoh7vio\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytrkoh7vio\"},{\"properties\":{\"displayName\":\"test_policymhqqjyizg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyunv6j3gfp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyunv6j3gfp\"},{\"properties\":{\"displayName\":\"test_policyf2qzg3ba4\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed - locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv3qavzpbx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv3qavzpbx\"},{\"properties\":{\"displayName\":\"test_policy5koxubsg5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv53qgvql6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv53qgvql6\"},{\"properties\":{\"displayName\":\"test_policycaxoe7agu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:14:31.5587491Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv6bc2zdey\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv6bc2zdey\"},{\"properties\":{\"displayName\":\"test_policy65zhk56oe\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:12:22.7078165Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvmph7iatk\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvmph7iatk\"},{\"properties\":{\"displayName\":\"test_policy7t2i6ysv7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvpb2ircbl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvpb2ircbl\"},{\"properties\":{\"displayName\":\"test_policyc2n4hwvff\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:21:23.3432499Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policywsslcs6dz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policywsslcs6dz\"},{\"properties\":{\"displayName\":\"test_policyn67yt2fld_new\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-06-11T06:51:10.2516Z\",\"updatedBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"updatedOn\":\"2019-06-11T06:51:13.9885473Z\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed - locations 2\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyx5j3fsjzb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyx5j3fsjzb\"},{\"properties\":{\"displayName\":\"test_policy574uc23jc\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:14:59.7674009Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy7mglfglo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyy7mglfglo\"},{\"properties\":{\"displayName\":\"test_policyif4bjggk7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyuuoin4oc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyyuuoin4oc\"},{\"properties\":{\"displayName\":\"test_policyvy7eweevk\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-19T07:01:55.8648869Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The - list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed - locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyzyhzyddss\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyzyhzyddss\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"Deny - cool access tiering for storage\",\"metadata\":{\"createdBy\":\"89ed5be8-ff97-41b5-ab11-055e1e3cc34b\",\"createdOn\":\"2019-03-09T04:29:39.8836867Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"kind\",\"equals\":\"BlobStorage\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/accessTier\",\"equals\":\"cool\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"denyCoolTiering\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:35.9462109Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T05:58:36.2899714Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1d6a287496763bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1d6a287496763bd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.3616782Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T04:25:20.5689022Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1ff115351d7d620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1ff115351d7d620\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:36.5087248Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd226f944793a0edd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd226f944793a0edd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.9593945Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd248103959e1b89a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd248103959e1b89a\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:53:56.4821495Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn4b00229168b529\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn4b00229168b529\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:12:02.5562119Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn7d459478c62e5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn7d459478c62e5f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:16:25.1651266Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdndd5095457eae7f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdndd5095457eae7f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:21:56.3757672Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdnfc173081e3e1c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdnfc173081e3e1c6\"},{\"properties\":{\"displayName\":\"pol-defdis-2169\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:43:22.5629692Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-2601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-2601\"},{\"properties\":{\"displayName\":\"pol-dis-5258\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:57:59.3671014Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3066\"},{\"properties\":{\"displayName\":\"pol-defdis-1797\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:59:42.1212637Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3604\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3604\"},{\"properties\":{\"displayName\":\"pol-defdis-8885\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:51:26.6479837Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4703\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4703\"},{\"properties\":{\"displayName\":\"pol-defdis-5984\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:44:44.5908405Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4803\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4803\"},{\"properties\":{\"displayName\":\"pol-dis-2866\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:59:29.3473453Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-7444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-7444\"},{\"properties\":{\"displayName\":\"pol-defdis-3052\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:50:49.8743418Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-834\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-834\"},{\"properties\":{\"displayName\":\"pol-dis-6545\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:01:11.8439197Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-07T10:01:13.5984375Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-900\"},{\"properties\":{\"displayName\":\"pol-defdis-412\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy - definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:39:00.9481726Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-9447\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-9447\"},{\"properties\":{\"displayName\":\"Sumit- - NSG X on every subnet\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"This - policy enforces a specific NSG on every subnet\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-01-02T03:24:40.1850198Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts/write\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/sumit-enforce-nsg-on-subnett2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"sumit-enforce-nsg-on-subnett2\"}]}" + is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"Replace + tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"rohitbh: + Key vault access policy","policyType":"Custom","mode":"All","description":"definition + description","metadata":{"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:11:44.907552Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:08:39.7776262Z"},"parameters":{"userObjectId":{"type":"String","metadata":{"displayName":"User + Object ID","description":"The GUID for the user which should have access"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"field":"Microsoft.Keyvault/vaults/accessPolicies[*].objectId","notEquals":"[parameters(''userObjectId'')]"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.KeyVault/vaults","name":"current","deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"objectId":{"type":"string"},"keyVaultName":{"type":"string"},"secretsPermissions":{"type":"array","defaultValue":["list"]},"tenantId":{"type":"string"},"location":{"type":"string"},"sku":{"type":"object"},"existingAccessPolicies":{"type":"array","defaultValue":[]}},"variables":{"accessPolicies":[{"tenantId":"[parameters(''tenantId'')]","objectId":"[parameters(''objectId'')]","permissions":{"secrets":"[parameters(''secretsPermissions'')]"}}]},"resources":[{"type":"Microsoft.KeyVault/vaults","name":"[parameters(''keyVaultName'')]","location":"[parameters(''location'')]","apiVersion":"2018-02-14","properties":{"sku":"[parameters(''sku'')]","tenantId":"[parameters(''tenantId'')]","accessPolicies":"[concat(parameters(''existingAccessPolicies''), + variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"test_policyq6slq5sm7_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-11T19:51:06.1795637Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-11T19:51:08.2216691Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf3znzikbi","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyf3znzikbi"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated + Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-02T22:35:27.2634648Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-02T22:35:29.2696603Z"},"policyRule":{"if":{"source":"action","equals":"Microsoft.Resources/Subscriptions/ResourceGroups/write"},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7866","type":"Microsoft.Authorization/policyDefinitions","name":"ps7866"},{"properties":{"displayName":"robga + test modify","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-06T13:52:23.9266854Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-28T17:18:53.3118044Z"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"tags.testModify","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"tags.testModify","value":"addModifyOperation"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","type":"Microsoft.Authorization/policyDefinitions","name":"robgaTestModify"},{"properties":{"displayName":"Audit + tag at MG","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:29.3038974Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.Test","equals":"UnitTest"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","type":"Microsoft.Authorization/policyDefinitions","name":"03ae6c12-b46a-43f1-9f3d-c20620473106"},{"properties":{"displayName":"\"metadata\": + { \"category\": \"testResourcesGrid\" },","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T20:48:36.8149755Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.testResourcesGrid","equals":"testResourcesGrid"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/4bba2e95-2749-431f-95ff-d032a3ae57f6","type":"Microsoft.Authorization/policyDefinitions","name":"4bba2e95-2749-431f-95ff-d032a3ae57f6"},{"properties":{"displayName":"CaleC + - Technical Owner Email Tag on RG","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-13T21:16:37.0623117Z","updatedBy":null,"updatedOn":null},"parameters":{"namePattern":{"type":"String","metadata":{"displayName":"Pattern + matching","description":"Pattern to use for names. Can include wildcard (*)."}},"tagName":{"type":"String","metadata":{"displayName":"tagName","description":"Technical + Owner Email Address"},"defaultValue":"TechnicalOwnerEmail"}},"policyRule":{"if":{"allOf":[{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","like":"[parameters(''namePattern'')]"}},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/54d50b8c-c4c6-4552-9e50-19925aedcf44","type":"Microsoft.Authorization/policyDefinitions","name":"54d50b8c-c4c6-4552-9e50-19925aedcf44"},{"properties":{"displayName":"rohitbh + def","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-28T00:13:27.0393653Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/5b51a7de-acd9-42cd-81bd-32d9c01968e9","type":"Microsoft.Authorization/policyDefinitions","name":"5b51a7de-acd9-42cd-81bd-32d9c01968e9"},{"properties":{"displayName":"jilim + audit subscriptions without security contacts","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-07T20:59:59.7600143Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/Subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Security/securityContacts"}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/67d90168-f067-43df-bd57-bca4b46df3a0","type":"Microsoft.Authorization/policyDefinitions","name":"67d90168-f067-43df-bd57-bca4b46df3a0"},{"properties":{"displayName":"Empty + deployment on each KeyVault resource","policyType":"Custom","mode":"Indexed","description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"category":"SDK Tests","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:12.9974078Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/policyAssignments","name":"notExists","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[],"outputs":{"constantOutput":{"type":"string","value":"someConstantValue"}}}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","type":"Microsoft.Authorization/policyDefinitions","name":"78a38c70-5549-49bd-8a16-fe3619e5d2cf"},{"properties":{"displayName":"CaleC + - Ensure principal is member of role","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-08T01:55:56.4678953Z","updatedBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","updatedOn":"2019-11-13T21:19:54.5769298Z"},"parameters":{"roleDefinitionId":{"type":"String","metadata":{"displayName":"Approved + Role Definition","description":"The role definition id to add the principal + to."}},"principalId":{"type":"String","metadata":{"displayName":"Principal + Id","description":"Principal Id to add to roles"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"name","equals":"[parameters(''roleDefinitionId'')]"}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/roleAssignments","deploymentScope":"subscription","existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Authorization/roleAssignments/principalId","equals":"[parameters(''principalId'')]"},{"field":"Microsoft.Authorization/roleAssignments/roleDefinitionId","equals":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleDefinitionId''))]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"roleId":{"value":"[parameters(''roleDefinitionId'')]"},"principalId":{"value":"[parameters(''principalId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"principalId":{"type":"string"},"roleId":{"type":"string"}},"resources":[{"name":"[guid(subscription().id, + parameters(''roleId''), parameters(''principalId''))]","type":"Microsoft.Authorization/roleAssignments","apiVersion":"2019-04-01-preview","properties":{"principalId":"[parameters(''principalId'')]","roleDefinitionId":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleId''))]"}}]}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/906ef7c2-27f9-48f4-b111-1f0aca8697cd","type":"Microsoft.Authorization/policyDefinitions","name":"906ef7c2-27f9-48f4-b111-1f0aca8697cd"},{"properties":{"displayName":"jilim + mg test 2","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:34:15.5651057Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilim + mg test 2","type":"Microsoft.Authorization/policyDefinitions","name":"jilim + mg test 2"},{"properties":{"displayName":"jilim mg test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:00:41.0087033Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilimmgtest","type":"Microsoft.Authorization/policyDefinitions","name":"jilimmgtest"}]}' headers: cache-control: - no-cache content-length: - - '1827395' + - '1787615' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:52 GMT + - Tue, 11 Feb 2020 19:54:11 GMT expires: - '-1' pragma: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_identity.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_identity.yaml index 9583d4eb663..188289db2c8 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_identity.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_identity.yaml @@ -681,7 +681,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1197' + - '1199' status: code: 201 message: Created @@ -1717,7 +1717,7 @@ interactions: cache-control: - no-cache content-length: - - '1049' + - '1048' content-type: - application/json; charset=utf-8 date: @@ -2521,7 +2521,7 @@ interactions: cache-control: - no-cache content-length: - - '1049' + - '1048' content-type: - application/json; charset=utf-8 date: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_management_group.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_management_group.yaml index 6832e830919..dbd60fcfa64 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_management_group.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_management_group.yaml @@ -16,23 +16,23 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: POST uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management/register?api-version=2019-07-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults/asyncOperation","locations":[],"apiVersions":["2019-11-01","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '1688' + - '1914' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:15 GMT + - Wed, 12 Feb 2020 21:15:41 GMT expires: - '-1' pragma: @@ -65,23 +65,23 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management?api-version=2019-07-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults/asyncOperation","locations":[],"apiVersions":["2019-11-01","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '1688' + - '1914' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:26 GMT + - Wed, 12 Feb 2020 21:15:51 GMT expires: - '-1' pragma: @@ -117,7 +117,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT @@ -133,7 +133,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:28 GMT + - Wed, 12 Feb 2020 21:15:52 GMT expires: - '-1' location: @@ -141,11 +141,11 @@ interactions: pragma: - no-cache request-id: - - c0f1a989-d739-44f7-a019-dc2da4fef79b + - f3642657-b9f4-4ab5-ac7d-b2ae906f7fc6 strict-transport-security: - max-age=31536000; includeSubDomains x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1550 x-content-type-options: - nosniff x-ms-ratelimit-remaining-tenant-writes: @@ -168,7 +168,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/providers/Microsoft.Management/operationResults/create/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: @@ -182,7 +182,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:38 GMT + - Wed, 12 Feb 2020 21:16:03 GMT expires: - '-1' location: @@ -190,11 +190,11 @@ interactions: pragma: - no-cache request-id: - - 77fcc86f-9bf5-4f94-a8d7-bc06a36a052c + - 4482685e-6f67-4d0f-808c-a42c1ac479b4 strict-transport-security: - max-age=31536000; includeSubDomains x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1550 x-content-type-options: - nosniff status: @@ -215,12 +215,12 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/providers/Microsoft.Management/operationResults/create/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: body: - string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Succeeded","properties":{"tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"cli-test-mgmt-group000002","details":{"version":1,"updatedTime":"2019-12-06T22:27:38.5517836Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","parent":{"id":"/providers/Microsoft.Management/managementGroups/72f988bf-86f1-41af-91ab-2d7cd011db47","name":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"72f988bf-86f1-41af-91ab-2d7cd011db47"}}}}' + string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Succeeded","properties":{"tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"cli-test-mgmt-group000002","details":{"version":1,"updatedTime":"2020-02-12T21:16:00.3003761Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","parent":{"id":"/providers/Microsoft.Management/managementGroups/72f988bf-86f1-41af-91ab-2d7cd011db47","name":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"72f988bf-86f1-41af-91ab-2d7cd011db47"}}}}' headers: cache-control: - no-cache @@ -229,13 +229,13 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:50 GMT + - Wed, 12 Feb 2020 21:16:15 GMT expires: - '-1' pragma: - no-cache request-id: - - c4dd85a3-1a8c-4bcb-9784-b5611f728d22 + - 864d149e-a226-43f9-bbc3-6108cb57f492 strict-transport-security: - max-age=31536000; includeSubDomains transfer-encoding: @@ -243,7 +243,7 @@ interactions: vary: - Accept-Encoding,Accept-Encoding x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1550 x-content-type-options: - nosniff status: @@ -273,14 +273,14 @@ interactions: - -n --rules --params --display-name --description --mode --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -291,7 +291,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:53 GMT + - Wed, 12 Feb 2020 21:36:19 GMT expires: - '-1' pragma: @@ -320,14 +320,14 @@ interactions: - -n --description --display-name --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -338,7 +338,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:54 GMT + - Wed, 12 Feb 2020 21:36:16 GMT expires: - '-1' pragma: @@ -378,14 +378,14 @@ interactions: - -n --description --display-name --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:27:57.7919894Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.1051791Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -396,7 +396,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:57 GMT + - Wed, 12 Feb 2020 21:36:16 GMT expires: - '-1' pragma: @@ -425,14 +425,14 @@ interactions: - -n --description --display-name --metadata --params --rules --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:27:57.7919894Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.1051791Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -443,7 +443,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:27:58 GMT + - Wed, 12 Feb 2020 21:36:20 GMT expires: - '-1' pragma: @@ -482,24 +482,24 @@ interactions: - -n --description --display-name --metadata --params --rules --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:28:01.355527Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.9157079Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: cache-control: - no-cache content-length: - - '836' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:01 GMT + - Wed, 12 Feb 2020 21:36:20 GMT expires: - '-1' pragma: @@ -528,7 +528,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -537,41 +537,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -579,55 +585,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -640,105 +646,107 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -749,26 +757,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -776,7 +786,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -795,44 +805,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -841,96 +857,105 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"[Preview]: + Audit Azure Spring Cloud instances where distributed tracing is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"With + the distributed tracing tools in Azure Spring Cloud, you can easily debug + and monitor complex issues. Azure Spring Cloud integrates Azure Spring Cloud + Sleuth with Azure''s Application Insights. This integration provides powerful + distributed tracing capability from the Azure portal.","metadata":{"version":"1.0.0-preview","category":"App + Platform","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.AppPlatform/Spring"},{"anyOf":[{"field":"Microsoft.AppPlatform/Spring/trace.enabled","notEquals":"true"},{"field":"Microsoft.AppPlatform/Spring/trace.state","notEquals":"Succeeded"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f2d8593-4667-4932-acca-6a9f187af109","type":"Microsoft.Authorization/policyDefinitions","name":"0f2d8593-4667-4932-acca-6a9f187af109"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -940,11 +965,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -954,55 +979,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -1011,11 +1041,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1026,22 +1056,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1050,11 +1081,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1064,12 +1095,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1078,7 +1110,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1087,10 +1120,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -1098,22 +1131,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -1124,44 +1158,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -1169,48 +1205,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -1218,12 +1254,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -1235,51 +1271,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -1287,18 +1330,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -1306,20 +1352,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1328,8 +1376,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1338,16 +1386,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -1360,28 +1408,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -1394,37 +1442,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -1435,22 +1484,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -1458,132 +1508,149 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1593,25 +1660,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1620,10 +1687,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1633,18 +1700,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1653,36 +1720,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1691,7 +1760,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1701,71 +1771,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -1775,7 +1846,17 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -1783,108 +1864,124 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: @@ -1893,12 +1990,12 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), @@ -1906,21 +2003,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -1939,354 +2036,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -2295,9 +2425,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -2310,29 +2440,30 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -2346,84 +2477,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -2432,109 +2566,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -2542,32 +2678,38 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"[Preview]: + Container Registries should be encrypted with a Customer-Managed Key (CMK)","policyType":"BuiltIn","mode":"Indexed","description":"Audit + Container Registries that do not have encryption enabled with Customer-Managed + Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK.","metadata":{"version":"1.0.0-preview","category":"Container + Registry","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"not":{"field":"Microsoft.ContainerRegistry/registries/encryption.status","equals":"enabled"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580","type":"Microsoft.Authorization/policyDefinitions","name":"5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -2577,17 +2719,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -2599,7 +2741,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -2607,78 +2749,79 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), @@ -2686,22 +2829,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -2709,11 +2853,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -2721,12 +2865,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -2734,11 +2878,12 @@ interactions: variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Configure - time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -2789,7 +2934,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2799,15 +2944,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -2815,72 +2961,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2889,10 +3043,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2902,32 +3056,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2936,13 +3090,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2954,31 +3109,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -2992,70 +3147,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -3063,13 +3219,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -3077,70 +3233,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -3166,7 +3324,30 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -3187,10 +3368,12 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -3198,46 +3381,49 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -3249,7 +3435,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -3261,7 +3447,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3272,40 +3459,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -3314,91 +3501,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -3407,13 +3596,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS Baud Rate","description":"An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3424,73 +3614,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -3499,8 +3690,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3510,13 +3701,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -3524,94 +3715,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -3631,7 +3824,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -3649,138 +3862,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -3788,18 +4013,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -3807,9 +4032,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3822,15 +4047,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -3838,18 +4065,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -3857,110 +4085,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -3969,7 +4206,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3978,89 +4216,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -4092,7 +4333,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -4111,10 +4373,12 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -4123,13 +4387,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4140,36 +4404,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -4177,8 +4441,8 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -4186,11 +4450,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4201,153 +4465,179 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"App + Configuration should use a customer managed key","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any App Configuration instance that does not use a customer + managed key.","metadata":{"version":"1.0.0","category":"App Configuration"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.AppConfiguration/configurationStores"},{"field":"Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1","type":"Microsoft.Authorization/policyDefinitions","name":"967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: - Show audit results from Windows VMs configurations in ''Adminstrative Templates + Show audit results from Windows VMs configurations in ''Administrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + category: ''Administrative Templates - MSS (Legacy)''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -4361,109 +4651,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure - that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + that ''Java version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -4471,42 +4765,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -4525,111 +4821,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -4637,172 +4936,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -4811,10 +5123,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4829,80 +5141,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -4911,10 +5228,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4929,11 +5246,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -4944,21 +5262,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -4966,51 +5290,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -5020,25 +5344,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -5046,28 +5380,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -5075,20 +5410,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5101,57 +5436,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -5163,42 +5504,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -5251,7 +5599,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5265,67 +5613,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Microsoft + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -5333,28 +5693,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -5368,39 +5728,63 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"[Preview]: + Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace + for resource specific categories.","policyType":"BuiltIn","mode":"Indexed","description":"Deploy + Diagnostic Settings for Recovery Services Vault to stream to Log Analytics + workspace for Resource specific categories. If any of the Resource specific + categories are not enabled, a new diagnostic setting is created.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Monitoring"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"tagName":{"type":"String","metadata":{"displayName":"Exclusion + Tag Name","description":"Name of the tag to use for excluding vaults from + this policy. This should be used along with the Exclusion Tag Value parameter."},"defaultValue":""},"tagValue":{"type":"String","metadata":{"displayName":"Exclusion + Tag Value","description":"Value of the tag to use for excluding vaults from + this policy. This should be used along with the Exclusion Tag Name parameter."},"defaultValue":""}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.RecoveryServices/vaults"},{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","equals":"[parameters(''tagValue'')]"}}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allof":[{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"allof":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].Category","in":["CoreAzureBackup","AddonAzureBackupJobs","AddonAzureBackupAlerts","AddonAzureBackupPolicy","AddonAzureBackupStorage","AddonAzureBackupProtectedInstance"]},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].Enabled","equals":"True"}]}},"Equals":6},{"field":"Microsoft.Insights/diagnosticSettings/workspaceId","notEquals":""},{"field":"Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType","equals":"Dedicated"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"logAnalytics":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.RecoveryServices/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","logAnalyticsDestinationType":"Dedicated","metrics":[],"logs":[{"category":"CoreAzureBackup","enabled":"true"},{"category":"AddonAzureBackupAlerts","enabled":"true"},{"category":"AddonAzureBackupJobs","enabled":"true"},{"category":"AddonAzureBackupPolicy","enabled":"true"},{"category":"AddonAzureBackupProtectedInstance","enabled":"true"},{"category":"AddonAzureBackupStorage","enabled":"true"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(parameters(''logAnalytics''), + ''configured for diagnostic logs for '', '': '', parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]"}}},"parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"vaultName":{"value":"[field(''name'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3","type":"Microsoft.Authorization/policyDefinitions","name":"c717fb0c-d118-4c43-ab3d-ece30ac81fb3"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5414,11 +5798,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -5426,32 +5810,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5462,7 +5847,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -5478,30 +5863,35 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"App + Configuration should use a private link","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any App Configuration instance that does not use a private link.","metadata":{"version":"1.0.0","category":"App + Configuration"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.AppConfiguration/configurationStores"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections","existenceCondition":{"field":"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7","type":"Microsoft.Authorization/policyDefinitions","name":"ca610c1d-041c-4332-9d88-7ed3094967c7"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -5509,88 +5899,102 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"[Preview]: + Container Registries should not allow unrestricted network access","policyType":"BuiltIn","mode":"Indexed","description":"Audit + Container Registries that do not have any Network (IP or VNET) Rules configured + and allow all network access by default. Container Registries with at least + one IP / Firewall rule or configured virtual network will be deemed compliant. + For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet.","metadata":{"version":"1.0.0-preview","category":"Container + Registry","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","exists":"false"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","equals":"Allow"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71","type":"Microsoft.Authorization/policyDefinitions","name":"d0793b48-0edc-4296-a390-4c75d1bdfd71"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -5601,30 +6005,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5634,8 +6040,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5645,33 +6051,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5684,57 +6090,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5748,41 +6154,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -5790,43 +6198,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5835,9 +6249,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5848,124 +6262,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -5973,104 +6412,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -6078,20 +6535,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6105,74 +6562,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -6182,8 +6641,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6191,26 +6650,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft - Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft - Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft + Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft + Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6225,12 +6689,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6244,25 +6708,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6276,23 +6740,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -6301,11 +6765,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -6315,17 +6779,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -6337,7 +6801,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6345,33 +6810,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: ''Adminstrative Templates + with non-compliant settings in Group Policy category: ''Administrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -6379,38 +6849,39 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -6418,10 +6889,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -6433,7 +6904,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -6447,81 +6918,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -6529,107 +7008,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Microsoft + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + account containing the container with activity logs must be encrypted with + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -6637,110 +7133,114 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed - service ports list","description":"The list of service ports allowed in a - Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed service ports list","description":"The list of service ports allowed + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml","values":{"allowedServicePorts":"[parameters(''allowedServicePortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44","type":"Microsoft.Authorization/policyDefinitions","name":"233a2a17-77ca-4fb1-9b6b-69223d272a44"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -6749,34 +7249,34 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed - container ports list","description":"The list of container ports allowed in - a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed container ports list","description":"The list of container ports allowed + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List - of labels","description":"The list of labels to be specified on Pods in a - Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"[Preview]: + List of labels","description":"The list of labels to be specified on Pods + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml","values":{"labels":"[parameters(''labelsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6","type":"Microsoft.Authorization/policyDefinitions","name":"46592696-4c7b-4bf3-9e45-6c2763bdc0a6"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -6786,101 +7286,103 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max - allowed CPU units","description":"The maximum CPU units allowed for a container. - E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max - allowed memory bytes","description":"The maximum memory bytes allowed for - a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"[Preview]: + Max allowed CPU units","description":"The maximum CPU units allowed for a + container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"[Preview]: + Max allowed memory bytes","description":"The maximum memory bytes allowed + for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed - container images regex","description":"Regex representing container images - allowed in a Kubernetes cluster. E.g. Regex for azure container registry images - is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS - Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:28:01.355527Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"[Preview]: + Allowed container images regex","description":"Regex representing container + images allowed in a Kubernetes cluster. E.g. Regex for azure container registry + images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.9157079Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}]}' headers: cache-control: - no-cache content-length: - - '1631556' + - '1784813' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:03 GMT + - Wed, 12 Feb 2020 21:36:23 GMT expires: - '-1' pragma: @@ -6911,24 +7413,24 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:28:01.355527Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.9157079Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: cache-control: - no-cache content-length: - - '836' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:05 GMT + - Wed, 12 Feb 2020 21:36:24 GMT expires: - '-1' pragma: @@ -6959,24 +7461,24 @@ interactions: - --policy -n --display-name --params --scope --enforcement-mode User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:28:01.355527Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.9157079Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: cache-control: - no-cache content-length: - - '836' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:05 GMT + - Wed, 12 Feb 2020 21:36:24 GMT expires: - '-1' pragma: @@ -7015,14 +7517,14 @@ interactions: - --policy -n --display-name --params --scope --enforcement-mode User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000006","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","scope":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:28:09.0778582Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000005"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000006","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","scope":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:25.2833982Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000005"}' headers: cache-control: - no-cache @@ -7031,7 +7533,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:08 GMT + - Wed, 12 Feb 2020 21:36:24 GMT expires: - '-1' pragma: @@ -7041,10 +7543,57 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-tenant-writes: - - '1198' + - '1199' status: code: 201 message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment list + Connection: + - keep-alive + ParameterSetName: + - --scope + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments?$filter=atScope()&api-version=2019-09-01 + response: + body: + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000006","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","scope":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:25.2833982Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000005"}]}' + headers: + cache-control: + - no-cache + content-length: + - '885' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 12 Feb 2020 21:36:25 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK - request: body: null headers: @@ -7062,14 +7611,14 @@ interactions: - -n --scope User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000006","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","scope":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:28:09.0778582Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000005"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000006","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","scope":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:25.2833982Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000005","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000005"}' headers: cache-control: - no-cache @@ -7078,7 +7627,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:11 GMT + - Wed, 12 Feb 2020 21:36:26 GMT expires: - '-1' pragma: @@ -7111,7 +7660,7 @@ interactions: - --disable-scope-strict-match User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7120,22 +7669,24 @@ interactions: body: string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert - Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-11T22:00:41.5492656Z"},"enforcementMode":"Default"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + msi test","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-07T21:29:11.0201724Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"identity":{"principalId":"0576317a-a1c9-4008-8d7f-ce37e8683a15","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/64e6ce4eb2c346f9a84a27ee","type":"Microsoft.Authorization/policyAssignments","name":"64e6ce4eb2c346f9a84a27ee","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + deploy kv diag","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2e3664bc-1446-4c60-bbb2-a192ec075685","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"eventHubRuleId":{"value":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cheggeventhub/providers/microsoft.eventhub/namespaces/chegghubnc/authorizationrules/rootmanagesharedaccesskey"},"eventHubLocation":{"value":"northcentralus"},"metricsEnabled":{"value":"True"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{"eventHubRuleId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cheggeventhub/providers/microsoft.eventhub/namespaces/chegghubnc","eventHubLocation":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T17:21:07.398321Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:30:41.6847893Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"47d1e25d-97fb-4a14-83e5-a6df3f503479","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/9274a9d820f44b488c6f5e54","type":"Microsoft.Authorization/policyAssignments","name":"9274a9d820f44b488c6f5e54","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris - Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-20T22:46:27.8117346Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris - Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-22T04:20:25.4141918Z"},"enforcementMode":"Default"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"rohitbh: - Key vault access policy (Always give Joel access)","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"userObjectId":{"value":"644c17f7-2b49-4549-a67f-bcc0448cd850"}},"description":"Assignment - description","metadata":{"assignedBy":"Rohit Bhardwaj","parameterScopes":{},"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:12:03.5422031Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:23:50.9933459Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"f12ee62c-35e6-45ec-b44b-13587ca23514","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ebccc544c4dd43d29c937f0c","type":"Microsoft.Authorization/policyAssignments","name":"ebccc544c4dd43d29c937f0c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys an empty deployment (with one output) on each KeyVault vault. Used for some - PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-21T17:44:38.1610927Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys an empty deployment (with one output) on each KeyVault vault. Used for some PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit @@ -7145,11 +7696,11 @@ interactions: cache-control: - no-cache content-length: - - '10632' + - '11910' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:12 GMT + - Wed, 12 Feb 2020 21:36:26 GMT expires: - '-1' pragma: @@ -7182,24 +7733,24 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T22:27:54.1140605Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T22:28:01.355527Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-12T21:36:19.4764922Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-12T21:36:20.9157079Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: cache-control: - no-cache content-length: - - '836' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:17 GMT + - Wed, 12 Feb 2020 21:36:28 GMT expires: - '-1' pragma: @@ -7232,7 +7783,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7241,41 +7792,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -7283,55 +7840,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -7344,105 +7901,107 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -7453,26 +8012,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -7480,7 +8041,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -7499,44 +8060,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -7545,96 +8112,105 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"[Preview]: + Audit Azure Spring Cloud instances where distributed tracing is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"With + the distributed tracing tools in Azure Spring Cloud, you can easily debug + and monitor complex issues. Azure Spring Cloud integrates Azure Spring Cloud + Sleuth with Azure''s Application Insights. This integration provides powerful + distributed tracing capability from the Azure portal.","metadata":{"version":"1.0.0-preview","category":"App + Platform","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.AppPlatform/Spring"},{"anyOf":[{"field":"Microsoft.AppPlatform/Spring/trace.enabled","notEquals":"true"},{"field":"Microsoft.AppPlatform/Spring/trace.state","notEquals":"Succeeded"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f2d8593-4667-4932-acca-6a9f187af109","type":"Microsoft.Authorization/policyDefinitions","name":"0f2d8593-4667-4932-acca-6a9f187af109"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7644,11 +8220,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7658,55 +8234,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -7715,11 +8296,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7730,22 +8311,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7754,11 +8336,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7768,12 +8350,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7782,7 +8365,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -7791,10 +8375,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -7802,22 +8386,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -7828,44 +8413,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -7873,48 +8460,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -7922,12 +8509,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -7939,51 +8526,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -7991,18 +8585,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -8010,20 +8607,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8032,8 +8631,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8042,16 +8641,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -8064,28 +8663,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -8098,37 +8697,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -8139,22 +8739,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -8162,132 +8763,149 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -8297,25 +8915,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8324,10 +8942,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -8337,18 +8955,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8357,36 +8975,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8395,7 +9015,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8405,71 +9026,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -8479,7 +9101,17 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -8487,108 +9119,124 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: @@ -8597,12 +9245,12 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), @@ -8610,21 +9258,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -8643,354 +9291,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -8999,9 +9680,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -9014,29 +9695,30 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -9050,84 +9732,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -9136,109 +9821,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -9246,32 +9933,38 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"[Preview]: + Container Registries should be encrypted with a Customer-Managed Key (CMK)","policyType":"BuiltIn","mode":"Indexed","description":"Audit + Container Registries that do not have encryption enabled with Customer-Managed + Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK.","metadata":{"version":"1.0.0-preview","category":"Container + Registry","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"not":{"field":"Microsoft.ContainerRegistry/registries/encryption.status","equals":"enabled"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580","type":"Microsoft.Authorization/policyDefinitions","name":"5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -9281,17 +9974,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -9303,7 +9996,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -9311,78 +10004,79 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), @@ -9390,22 +10084,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -9413,11 +10108,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -9425,12 +10120,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -9438,11 +10133,12 @@ interactions: variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Configure - time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -9493,7 +10189,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9503,15 +10199,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -9519,72 +10216,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -9593,10 +10298,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9606,32 +10311,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -9640,13 +10345,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9658,31 +10364,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -9696,70 +10402,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -9767,13 +10474,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -9781,70 +10488,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -9870,7 +10579,8 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -9891,10 +10601,34 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -9902,46 +10636,49 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -9953,7 +10690,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -9965,7 +10702,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -9976,40 +10714,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -10018,91 +10756,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10111,13 +10851,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS Baud Rate","description":"An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10128,73 +10869,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10203,8 +10945,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10214,13 +10956,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -10228,94 +10970,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -10335,7 +11079,8 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -10353,138 +11098,169 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -10492,18 +11268,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -10511,9 +11287,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10526,15 +11302,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -10542,18 +11320,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -10561,110 +11340,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10673,7 +11461,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10682,89 +11471,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -10796,7 +11588,8 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -10815,10 +11608,32 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10827,13 +11642,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10844,36 +11659,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -10881,8 +11696,8 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -10890,11 +11705,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10905,153 +11720,179 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"App + Configuration should use a customer managed key","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any App Configuration instance that does not use a customer + managed key.","metadata":{"version":"1.0.0","category":"App Configuration"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.AppConfiguration/configurationStores"},{"field":"Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1","type":"Microsoft.Authorization/policyDefinitions","name":"967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: - Show audit results from Windows VMs configurations in ''Adminstrative Templates + Show audit results from Windows VMs configurations in ''Administrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + category: ''Administrative Templates - MSS (Legacy)''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -11065,109 +11906,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure - that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + that ''Java version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -11175,42 +12020,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -11229,111 +12076,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -11341,172 +12191,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -11515,10 +12378,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11533,80 +12396,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11615,10 +12483,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11633,11 +12501,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11648,21 +12517,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -11670,51 +12545,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -11724,25 +12599,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -11750,28 +12635,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -11779,20 +12665,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11805,57 +12691,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -11867,42 +12759,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -11955,7 +12854,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11969,67 +12868,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Microsoft + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -12037,28 +12948,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -12072,39 +12983,63 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"[Preview]: + Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace + for resource specific categories.","policyType":"BuiltIn","mode":"Indexed","description":"Deploy + Diagnostic Settings for Recovery Services Vault to stream to Log Analytics + workspace for Resource specific categories. If any of the Resource specific + categories are not enabled, a new diagnostic setting is created.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Monitoring"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"tagName":{"type":"String","metadata":{"displayName":"Exclusion + Tag Name","description":"Name of the tag to use for excluding vaults from + this policy. This should be used along with the Exclusion Tag Value parameter."},"defaultValue":""},"tagValue":{"type":"String","metadata":{"displayName":"Exclusion + Tag Value","description":"Value of the tag to use for excluding vaults from + this policy. This should be used along with the Exclusion Tag Name parameter."},"defaultValue":""}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.RecoveryServices/vaults"},{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","equals":"[parameters(''tagValue'')]"}}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allof":[{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"allof":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].Category","in":["CoreAzureBackup","AddonAzureBackupJobs","AddonAzureBackupAlerts","AddonAzureBackupPolicy","AddonAzureBackupStorage","AddonAzureBackupProtectedInstance"]},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].Enabled","equals":"True"}]}},"Equals":6},{"field":"Microsoft.Insights/diagnosticSettings/workspaceId","notEquals":""},{"field":"Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType","equals":"Dedicated"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"logAnalytics":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.RecoveryServices/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","logAnalyticsDestinationType":"Dedicated","metrics":[],"logs":[{"category":"CoreAzureBackup","enabled":"true"},{"category":"AddonAzureBackupAlerts","enabled":"true"},{"category":"AddonAzureBackupJobs","enabled":"true"},{"category":"AddonAzureBackupPolicy","enabled":"true"},{"category":"AddonAzureBackupProtectedInstance","enabled":"true"},{"category":"AddonAzureBackupStorage","enabled":"true"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(parameters(''logAnalytics''), + ''configured for diagnostic logs for '', '': '', parameters(''vaultName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]"}}},"parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"vaultName":{"value":"[field(''name'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3","type":"Microsoft.Authorization/policyDefinitions","name":"c717fb0c-d118-4c43-ab3d-ece30ac81fb3"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12118,11 +13053,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -12130,32 +13065,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12166,7 +13102,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -12182,30 +13118,35 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"App + Configuration should use a private link","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any App Configuration instance that does not use a private link.","metadata":{"version":"1.0.0","category":"App + Configuration"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.AppConfiguration/configurationStores"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections","existenceCondition":{"field":"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7","type":"Microsoft.Authorization/policyDefinitions","name":"ca610c1d-041c-4332-9d88-7ed3094967c7"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -12213,88 +13154,102 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"[Preview]: + Container Registries should not allow unrestricted network access","policyType":"BuiltIn","mode":"Indexed","description":"Audit + Container Registries that do not have any Network (IP or VNET) Rules configured + and allow all network access by default. Container Registries with at least + one IP / Firewall rule or configured virtual network will be deemed compliant. + For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet.","metadata":{"version":"1.0.0-preview","category":"Container + Registry","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","exists":"false"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","equals":"Allow"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71","type":"Microsoft.Authorization/policyDefinitions","name":"d0793b48-0edc-4296-a390-4c75d1bdfd71"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -12305,30 +13260,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12338,8 +13295,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12349,33 +13306,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12388,57 +13345,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12452,41 +13409,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -12494,43 +13453,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12539,9 +13504,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -12552,124 +13517,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -12677,104 +13667,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -12782,20 +13790,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12809,74 +13817,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -12886,8 +13896,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12895,26 +13905,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12929,12 +13944,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12948,25 +13963,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12980,23 +13995,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -13005,11 +14020,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13019,17 +14034,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -13041,7 +14056,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -13049,33 +14065,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: ''Adminstrative Templates + with non-compliant settings in Group Policy category: ''Administrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -13083,38 +14104,39 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -13122,10 +14144,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13137,7 +14159,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -13151,81 +14173,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -13233,107 +14263,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Microsoft + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + account containing the container with activity logs must be encrypted with + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -13341,110 +14388,114 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed - service ports list","description":"The list of service ports allowed in a - Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed service ports list","description":"The list of service ports allowed + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml","values":{"allowedServicePorts":"[parameters(''allowedServicePortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44","type":"Microsoft.Authorization/policyDefinitions","name":"233a2a17-77ca-4fb1-9b6b-69223d272a44"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -13453,34 +14504,34 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed - container ports list","description":"The list of container ports allowed in - a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed container ports list","description":"The list of container ports allowed + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List - of labels","description":"The list of labels to be specified on Pods in a - Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"[Preview]: + List of labels","description":"The list of labels to be specified on Pods + in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml","values":{"labels":"[parameters(''labelsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6","type":"Microsoft.Authorization/policyDefinitions","name":"46592696-4c7b-4bf3-9e45-6c2763bdc0a6"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -13490,100 +14541,102 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max - allowed CPU units","description":"The maximum CPU units allowed for a container. - E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max - allowed memory bytes","description":"The maximum memory bytes allowed for - a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"[Preview]: + Max allowed CPU units","description":"The maximum CPU units allowed for a + container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"[Preview]: + Max allowed memory bytes","description":"The maximum memory bytes allowed + for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed - container images regex","description":"Regex representing container images - allowed in a Kubernetes cluster. E.g. Regex for azure container registry images - is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes","preview":true},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"[Preview]: + Allowed container images regex","description":"Regex representing container + images allowed in a Kubernetes cluster. E.g. Regex for azure container registry + images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"}]}' headers: cache-control: - no-cache content-length: - - '1630719' + - '1783975' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:29 GMT + - Wed, 12 Feb 2020 21:36:40 GMT expires: - '-1' pragma: @@ -13607,49 +14660,42 @@ interactions: Accept-Encoding: - gzip, deflate CommandName: - - account management-group delete + - policy definition show Connection: - keep-alive - Content-Length: - - '0' ParameterSetName: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US - method: POST - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management/register?api-version=2019-07-01 + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/%2Fproviders%2Fmicrosoft.management%2Fmanagementgroups%2FmyMg%2Fproviders%2Fmicrosoft.authorization%2Fmissingsegment?api-version=2019-09-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' + string: '{"error":{"code":"ResourceTypeNotSupported","message":"Unsupported + resource type: ''Microsoft.Authorization/policyDefinitions/microsoft.management/myMg/microsoft.authorization''."}}' headers: cache-control: - no-cache content-length: - - '1688' + - '179' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:32 GMT + - Wed, 12 Feb 2020 21:36:41 GMT expires: - '-1' pragma: - no-cache strict-transport-security: - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding x-content-type-options: - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' status: - code: 200 - message: OK + code: 404 + message: Not Found - request: body: null headers: @@ -13658,40 +14704,98 @@ interactions: Accept-Encoding: - gzip, deflate CommandName: - - account management-group delete + - policy definition show Connection: - keep-alive ParameterSetName: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management?api-version=2019-07-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/%2Fproviders%2Fmicrosoft.management%2Fmanagementgroups%2FmyMg%2Fproviders%2Fmicrosoft.authorization%2Fmissingsegment?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"AuthorizationFailed","message":"The client ''cheggert@microsoft.com'' + with object id ''36e2f355-d2e2-4fbc-88ab-4281639dff94'' does not have authorization + to perform action ''Microsoft.Authorization/policyDefinitions/microsoft.management/myMg/microsoft.authorization/read'' + over scope ''/providers/Microsoft.Authorization/policyDefinitions/providers/microsoft.management/managementgroups/myMg/providers/microsoft.authorization/missingsegment'' + or the scope is invalid. If access was recently granted, please refresh your + credentials."}}' + headers: + cache-control: + - no-cache + connection: + - close + content-length: + - '545' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 12 Feb 2020 21:36:41 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-failure-cause: + - gateway + status: + code: 403 + message: Forbidden +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - account management-group delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: POST + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management/register?api-version=2019-07-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults/asyncOperation","locations":[],"apiVersions":["2019-11-01","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '1688' + - '1914' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:42 GMT + - Wed, 12 Feb 2020 21:36:42 GMT expires: - '-1' pragma: - no-cache strict-transport-security: - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked vary: - Accept-Encoding x-content-type-options: - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' status: code: 200 message: OK @@ -13702,54 +14806,44 @@ interactions: - application/json Accept-Encoding: - gzip, deflate - Cache-Control: - - no-cache CommandName: - account management-group delete Connection: - keep-alive - Content-Length: - - '0' ParameterSetName: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US - method: DELETE - uri: https://management.azure.com/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management?api-version=2019-07-01 response: body: - string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"NotStarted"}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Management","namespace":"Microsoft.Management","authorization":{"applicationId":"f2c304cf-8e7e-4c3f-8164-16299ad9d272","roleDefinitionId":"c1cf3708-588a-4647-be7f-f400bbe214cf"},"resourceTypes":[{"resourceType":"resources","locations":[],"apiVersions":["2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"managementGroups","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"getEntities","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"checkNameAvailability","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview"],"capabilities":"None"},{"resourceType":"operationResults/asyncOperation","locations":[],"apiVersions":["2019-11-01","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta","2018-01-01-preview","2017-11-01-preview","2017-08-31-preview","2017-06-30-preview","2017-05-31-preview"],"capabilities":"None"},{"resourceType":"tenantBackfillStatus","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"},{"resourceType":"startTenantBackfill","locations":[],"apiVersions":["2019-11-01","2018-03-01-preview","2018-03-01-beta"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '208' + - '1914' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:46 GMT + - Wed, 12 Feb 2020 21:36:52 GMT expires: - '-1' - location: - - https://management.azure.com/providers/Microsoft.Management/operationResults/delete/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview pragma: - no-cache - request-id: - - e83138d5-0e3c-43ec-9ffb-a421843d017f strict-transport-security: - max-age=31536000; includeSubDomains - x-ba-restapi: - - 1.0.3.1543 + vary: + - Accept-Encoding x-content-type-options: - nosniff - x-ms-ratelimit-remaining-tenant-deletes: - - '14999' status: - code: 202 - message: Accepted + code: 200 + message: OK - request: body: null headers: @@ -13757,29 +14851,35 @@ interactions: - application/json Accept-Encoding: - gzip, deflate + Cache-Control: + - no-cache CommandName: - account management-group delete Connection: - keep-alive + Content-Length: + - '0' ParameterSetName: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 - method: GET - uri: https://management.azure.com/providers/Microsoft.Management/operationResults/delete/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: DELETE + uri: https://management.azure.com/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: body: - string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Running"}' + string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"NotStarted"}' headers: cache-control: - no-cache content-length: - - '205' + - '208' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:28:58 GMT + - Wed, 12 Feb 2020 21:36:58 GMT expires: - '-1' location: @@ -13787,13 +14887,15 @@ interactions: pragma: - no-cache request-id: - - 5c9a5d1b-6c7b-4b8c-8833-8f1fa38de10b + - e264481f-ae21-4844-a70b-74411076b514 strict-transport-security: - max-age=31536000; includeSubDomains x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1550 x-content-type-options: - nosniff + x-ms-ratelimit-remaining-tenant-deletes: + - '14999' status: code: 202 message: Accepted @@ -13812,7 +14914,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/providers/Microsoft.Management/operationResults/delete/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: @@ -13826,13 +14928,13 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:29:08 GMT + - Wed, 12 Feb 2020 21:37:08 GMT expires: - '-1' pragma: - no-cache request-id: - - e87f5903-bb64-471d-a281-26eae2e24326 + - 85c2aab0-739e-4ce7-b790-3c54bb3df515 strict-transport-security: - max-age=31536000; includeSubDomains transfer-encoding: @@ -13840,7 +14942,7 @@ interactions: vary: - Accept-Encoding,Accept-Encoding x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1550 x-content-type-options: - nosniff status: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_subscription_id.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_subscription_id.yaml deleted file mode 100644 index db1850675ce..00000000000 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policy_subscription_id.yaml +++ /dev/null @@ -1,4087 +0,0 @@ -interactions: -- request: - body: '{"properties": {"mode": "Indexed", "displayName": "test_policy000003", - "description": "desc_for_test_policy_123", "policyRule": {"if": {"not": {"field": - "location", "in": "[parameters(''allowedLocations'')]"}}, "then": {"effect": - "deny"}}, "metadata": {"category": "test"}, "parameters": {"allowedLocations": - {"type": "array", "metadata": {"description": "The list of locations that can - be specified when deploying resources", "strongType": "location", "displayName": - "Allowed locations"}}}}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition create - Connection: - - keep-alive - Content-Length: - - '493' - Content-Type: - - application/json; charset=utf-8 - ParameterSetName: - - -n --rules --params --display-name --description --mode --metadata --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '846' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:10 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition update - Connection: - - keep-alive - ParameterSetName: - - -n --description --display-name --metadata --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '846' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:11 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: '{"properties": {"displayName": "test_policy000003_new", "description": - "desc_for_test_policy_123_new", "policyRule": {"if": {"not": {"field": "location", - "in": "[parameters(''allowedLocations'')]"}}, "then": {"effect": "deny"}}, "metadata": - {"category": "test2"}, "parameters": {"allowedLocations": {"type": "Array", - "metadata": {"description": "The list of locations that can be specified when - deploying resources", "strongType": "location", "displayName": "Allowed locations"}}}}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition update - Connection: - - keep-alive - Content-Length: - - '483' - Content-Type: - - application/json; charset=utf-8 - ParameterSetName: - - -n --description --display-name --metadata --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:12.2593255Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '915' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:11 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition update - Connection: - - keep-alive - ParameterSetName: - - -n --description --display-name --metadata --params --rules --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:12.2593255Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '915' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:12 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: '{"properties": {"displayName": "test_policy000003_new", "description": - "desc_for_test_policy_123_new", "policyRule": {"if": {"not": {"field": "location", - "in": "[parameters(''allowedLocations'')]"}}, "then": {"effect": "audit"}}, - "metadata": {"category": "test2"}, "parameters": {"allowedLocations": {"type": - "array", "metadata": {"displayName": "Allowed locations 2"}}}}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition update - Connection: - - keep-alive - Content-Length: - - '373' - Content-Type: - - application/json; charset=utf-8 - ParameterSetName: - - -n --description --display-name --metadata --params --rules --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:13.1409229Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '809' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:13 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition list - Connection: - - keep-alive - ParameterSetName: - - --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-01-01 - response: - body: - string: '{"value":[{"properties":{"displayName":"Audit virtual machines without - disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit - virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the remote host connection status does not match - the specified one","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the remote host connection - status does not match the specified one. This policy should only be used along - with its corresponding deploy policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsRemoteConnection"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"SQL - managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent - Data Encryption (TDE) with your own key support provides increased transparency - and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Diagnostic - logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Audit - SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit - VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"CORS - should not allow every resource to access your Function App","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - Function app. Allow only required domains to interact with your Function app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined - and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There - should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It - is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Disk - encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs - without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Audit - resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"SQL - server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent - Data Encryption (TDE) with your own key support provides increased transparency - and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which Windows Defender Exploit Guard - is not enabled. This policy should only be used along with its corresponding - deploy policy in an initiative/policy set. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"[Preview]: - Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict - access to the Kubernetes Service Management API by granting API access only - to IP addresses in specific ranges. It is recommended to limit access to authorized - IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote - debugging should be turned off for Function App","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on an function app. Remote - debugging should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not contain the specified - certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows VMs that - do not contain the specified certificates in the Trusted Root Certification - Authorities certificate store (Cert:\\LocalMachine\\Root). It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', - ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"[Preview]: - Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if the VM Image (OS) is not in the list defined and the - agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified applications - installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application - names (supports wildcards)","description":"A semicolon-separated list of the - names of the applications that should be installed. e.g. ''Microsoft SQL Server - 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', - ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group contains - any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group contains any of the specified members. It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members - to exclude","description":"A semicolon-separated list of members that should - be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', - ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have a minimum password - age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have a minimum password age of 1 day. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the specified Windows - PowerShell modules installed. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPowerShellModules"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"[Preview]: - Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure - security center has discovered that the networking configuration of some of - your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances which do not have recurring vulnerability assessment - scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined - and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Virtual - machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use - new Azure Resource Manager for your virtual machines to provide security enhancements - such as: stronger access control (RBAC), better auditing, ARM-based deployment - and governance, access to managed identities, access to key vault for secrets, - Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.classicCompute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Require - tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An - Azure Active Directory administrator should be provisioned for SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - provisioning of an Azure Active Directory administrator for your SQL server - to enable Azure AD authentication. Azure AD authentication enables simplified - permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure - security center has discovered that some of your virtual machines are running - web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"[Deprecated]: - Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Management - ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open - remote management ports are exposing your VM to a high level of risk from - Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Only - secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of only connections via SSL to Redis Cache. Use of secure connections - ensures authentication between the server and the service and protects data - in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not restrict the minimum - password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not restrict the minimum password length to 14 characters. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have a maximum password - age of 70 days. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MaximumPasswordAge"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Endpoint - protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit - the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Metric - alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit - configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric - name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', - subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, - ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Deploy - default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This - policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates - whether or not real time protection is enabled (default is true)"}},"ScheduledScanSettingsIsEnabled":{"type":"string","defaultValue":"false","metadata":{"description":"Indicates - whether or not custom scheduled scan settings are enabled (default is false)"}},"ScheduledScanSettingsScanType":{"type":"string","defaultValue":"Quick","metadata":{"description":"Indicates - whether scheduled scan setting type is set to Quick or Full (default is Quick)"}},"ScheduledScanSettingsDay":{"type":"string","defaultValue":"7","metadata":{"description":"Day - of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"}},"ScheduledScanSettingsTime":{"type":"string","defaultValue":"120","metadata":{"description":"When - to perform the scheduled scan, measured in minutes from midnight (0-1440). - For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Append - tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends - the specified tag and value when any resource which is missing this tag is - created or updated. Does not modify the tags of resources created before this - policy was applied until those resources are changed. Does not apply to resource - groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not store passwords using reversible - encryption. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"StorePasswordsUsingReversibleEncryption"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that allow remote connections from accounts - without passwords. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid110"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"[Deprecated]: - Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not joined to the specified domain. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain - Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', - ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if the VM Image (OS) is not in the list defined and the - agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs on which the specified services are not - installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the specified services are not installed and ''Running''. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service - names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', - ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that have accounts without passwords. It also creates a system-assigned managed - identity and deploys the VM extension for Guest Configuration. This policy - should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Audit - unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit - unrestricted network access in your storage account firewall settings. Instead, - configure network rules so only applications from allowed networks can access - the storage account. To allow connections from specific internet or on-premise - clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Diagnostic - logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have a maximum password - age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have a maximum password age of 70 days. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS - should not allow every resource to access your API App","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - API app. Allow only required domains to interact with your API app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Gateway - subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This - policy denies if a gateway subnet is configured with a network security group. - Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Deploy - Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2017-08-01-preview","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), - ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Automation - account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It - is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Deploy - Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"Storage - accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use - new Azure Resource Manager for your storage accounts to provide security enhancements - such as: stronger access control (RBAC), better auditing, Azure Resource Manager - based deployment and governance, access to managed identities, access to key - vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.classicStorage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Diagnostic - logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Advanced - data security settings for SQL managed instance should contain an email address - to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure - that an email address is provided for the ''Send alerts to'' field in the - Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"[Preview]: - Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define - Pod Security Policies to reduce the attack vector by removing unnecessary - application privileges. It is recommended to configure Pod Security Policies - to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. The list of OS images will be - updated over time as support is updated. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. The list of OS images will be - updated over time as support is updated. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities - in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit - the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Deploy - default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Secure - transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - requirment of Secure transfer in your storage account. Secure transfer is - an option that forces your storage account to accept requests only from secure - connections (HTTPS). Use of HTTPS ensures authentication between the server - and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Diagnostic - logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Deprecated]: - Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network - Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Require - SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures all SQL servers use version 12.0","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require - automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This - policy enforces enabling automatic OS image patching on Virtual Machine Scale - Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Adaptive - Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Append - tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends - the specified tag and value when any resource group which is missing this - tag is created or updated. Does not modify the tags of resource groups created - before this policy was applied until those resource groups are changed.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Deploy - requirements to audit Linux VMs that do not have the specified applications - installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Linux virtual machines that - do not have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', - ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', - '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: - ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"A - maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It - is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"CORS - should not allow every resource to access your Web Application","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - web application. Allow only required domains to interact with your web app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have a minimum password - age of 1 day. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MinimumPasswordAge"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not restrict the minimum password - length to 14 characters. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MinimumPasswordLength"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Audit - Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"not_installed_application_linux"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the remote host connection - status does not match the specified one","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the remote host connection status does not match the specified one. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', - ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', - ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', - ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMSS as non-compliant if the VM Image (OS) is not in the list defined and - the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"External - accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"[Deprecated]: - Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WhitelistedApplication"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Allow - resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"External - accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Audit - Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows web servers that are not using secure communication - protocols (TLS 1.1 or TLS 1.2). This policy should only be used along with - its corresponding deploy policy in an initiative. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AuditSecureProtocol"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy - Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Data Security on SQL Servers. This includes turning - on Threat Detection and Vulnerability Assessment. It will automatically create - a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), - variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', - variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2016-01-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"Storage","properties":{}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/vulnerabilityAssessments","apiVersion":"2018-06-01-preview","properties":{"storageContainerPath":"[concat(reference(resourceId(''Microsoft.Storage/storageAccounts'', - variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', - variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', - variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Service - Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","policyType":"BuiltIn","mode":"Indexed","description":"Service - Fabric provides three levels of protection (None, Sign and EncryptAndSign) - for node-to-node communication using a primary cluster certificate. Set the - protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"[Deprecated]: - Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This - policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the Log Analytics agent - is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the Log Analytics agent is not connected to the specified workspaces. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative/policy set. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', - ''='', parameters(''WorkspaceId'')))]"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which Windows Defender Exploit - Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which Windows Defender Exploit Guard is not enabled. It also creates a - system-assigned managed identity and deploys the VM extension for Guest Configuration. - This policy should only be used along with its corresponding audit policy - in an initiative/policy set. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', - ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","type":"Microsoft.Authorization/policyDefinitions","name":"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Deprecated - accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated - accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Not - allowed resource types","policyType":"BuiltIn","mode":"All","description":"This - policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The - list of resource types that cannot be deployed.","displayName":"Not allowed - resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Function - App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Allow - resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows VMs on which the Desired State Configuration (DSC) configuration - is not compliant. This policy is only applicable to machines with WMF 4 and - above. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsDscConfiguration"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that allow re-use of the previous - 24 passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that allow re-use of the previous 24 passwords. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","type":"Microsoft.Authorization/policyDefinitions","name":"726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"properties":{"displayName":"Allowed - storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The - list of SKUs that can be specified for storage accounts.","displayName":"Allowed - SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"[Deprecated]: - Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of diagnostic logs on the app. This enables you to recreate activity - trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Vulnerabilities - should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors - vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list - defined and the agent is not installed. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Deploy - requirements to audit Windows Server VMs on which Windows Serial Console is - not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows Server virtual machines - on which Windows Serial Console is not enabled. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS - Port Number","description":"An integer indicating the COM port to be used - for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS - Baud Rate","description":"An integer indicating the baud rate to be used for - the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', - ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', - ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Diagnostic - logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: - Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures blob encryption for storage accounts is turned on. It only - applies to Microsoft.Storage resource types, not other storage providers. - This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Audit - Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"NotInstalledApplication"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that have not restarted within the - specified number of days. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MachineLastBootUpTime"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have the password complexity - setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the password complexity setting enabled. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Audit - diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource - Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"SQL - Auditing settings should have Action-Groups configured to capture critical - activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups - property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, - FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Diagnostic - logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network - interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy denies the network interfaces which are configured with any public - IP. Public IP addresses allow internet resources to communicate inbound to - Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Deploy - SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), - ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System - updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing - security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Require - specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Deploy - requirements to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', - ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', - '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: - ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Network - interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This - policy denies the network interfaces which enabled IP forwarding. The setting - of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"SQL - servers should be configured with auditing retention days greater than 90 - days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Audit - Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines with a pending reboot. This policy - should only be used along with its corresponding deploy policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPendingReboot"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Require - tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not store passwords using - reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not store passwords using reversible encryption. It also creates a - system-assigned managed identity and deploys the VM extension for Guest Configuration. - This policy should only be used along with its corresponding audit policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified Windows PowerShell - modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the specified Windows PowerShell modules installed. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell - Modules","description":"A semicolon-separated list of the names of the PowerShell - modules that should be installed. You may also specify a specific version - of a module that should be installed by including a comma after the module - name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', - ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that contain certificates expiring within the specified - number of days","policyType":"BuiltIn","mode":"All","description":"This policy - audits Windows virtual machines that contain certificates expiring within - the specified number of days. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"CertificateExpiration"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group does not - contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group does not contain all of the specified members. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members - to include","description":"A semicolon-separated list of members that should - be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', - ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Allow - resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Require - specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Advanced - data security settings for SQL server should contain an email address to receive - security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure - that an email address is provided for the ''Send alerts to'' field in the - Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Allow - resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Azure SQL Database to stream to a regional Event - Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Access - through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure - Security center has identified some of your Network Security Groups'' inbound - rules to be too permissive. Inbound rules should not allow access from ''Any'' - or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Append - tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends - the specified tag with its value from the resource group when any resource - which is missing this tag is created or updated. Does not modify the tags - of resources created before this policy was applied until those resources - are changed.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","exists":"true"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Audit - Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that are not set to the specified time - zone. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsTimeZone"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the Log Analytics agent is - not connected to the specified workspaces. This policy should only be used - along with its corresponding deploy policy in an initiative/policy set. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsLogAnalyticsAgentConnection"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Allowed - resource types","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify the resource types that your organization can - deploy. Only resource types that support ''tags'' and ''location'' will be - affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The - list of resource types that can be deployed.","displayName":"Allowed resource - types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"All - authorization rules except RootManageSharedAccessKey should be removed from - Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service - Bus clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service - Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Audit - Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that are not joined to the specified - domain. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsDomainMembership"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Audit - usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit - built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC - roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web - Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired - Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"DDoS - Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS - protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Require - encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data - Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Monitor - unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted - SQL databases will be monitored by Azure Security Center as recommendations","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Deploy - network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a network watcher resource in regions with virtual networks. - You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', - parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Automatic - provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs - security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Advanced - data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced - data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"[Preview]: - Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To - provide granular filtering on the actions that users can perform, use Role-Based - Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"Allow - resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.environment","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Email - notifications to admins and subscription owners should be enabled in SQL managed - instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that ''email notification to admins and subscription owners'' is enabled in - the SQL managed instance advanced threat protection settings. This ensures - that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Monitor - missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers - without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"Monitor - unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL - servers which don''t have SQL auditing turned on will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Just-In-Time - network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that do not have the passwd file permissions - set to 0644. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid121"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"All - authorization rules except RootManageSharedAccessKey should be removed from - Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event - Hub clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event - Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Deploy - requirements to audit Windows web servers that are not using secure communication - protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows web servers that - are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AuditSecureProtocol"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"},{"properties":{"displayName":"Diagnostic - logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"Service - Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit - usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Diagnostic - logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of diagnostic logs on the app. This enables you to recreate activity - trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"API - App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group does not - contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group does not contain only the specified members. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A - semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', - ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"[Preview]: - IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling - IP forwarding on a virtual machine''s NIC allows the machine to receive traffic - addressed to other destinations. IP forwarding is rarely required (e.g., when - using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced - Threat Protection types should be set to ''All'' in SQL managed instance Advanced - Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable all Advanced Threat Protection types on your SQL - servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group contains any of the specified - members","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows virtual machines in which the Administrators group contains any of - the specified members. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembersToExclude"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Allow - resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not set to the specified time zone. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) - International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) - Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) - Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) - Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) - Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time - (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US - & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, - Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio - Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) - Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks - and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) - Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San - Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) - Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) - Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) - Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated - Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) - Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, - Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) - Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) - Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, - Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) - West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) - Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) - Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, - Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) - Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) - Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, - St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu - Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) - Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) - Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) - Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) - Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) - Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) - Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, - Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) - Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, - Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, - Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) - Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) - Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) - Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) - Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) - Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) - Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) - Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) - Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) - Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) - Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', - ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"},{"properties":{"displayName":"Audit - Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the specified services are - not installed and ''Running''. This policy should only be used along with - its corresponding deploy policy in an initiative. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsServiceStatus"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"System - updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit - whether there are any missing system security updates and critical updates - that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that have accounts without passwords. - This policy should only be used along with its corresponding deploy policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid232"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that contain certificates expiring - within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that contain certificates expiring within the specified number of days. It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' - which is the root certificate store path, so all certificates on the machine - will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', - ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', - ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', - ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', - ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', - ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Email - notifications to admins and subscription owners should be enabled in SQL server - advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that ''email notification to admins and subscription owners'' is enabled in - the SQL server advanced threat protection settings. This ensures that any - detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"[Deprecated]: - API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Diagnostic - logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with a pending reboot. It also creates a system-assigned managed identity - and deploys the VM extension for Guest Configuration. This policy should only - be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c","type":"Microsoft.Authorization/policyDefinitions","name":"c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This - policy automatically deploys diagnostic settings to network security groups. - A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage - Account Prefix for Regional Storage Account","description":"This prefix will - be combined with the network security group location to form the created storage - account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource - Group Name for Storage Account (must exist)","description":"The resource group - that the storage account will be created in. This resource group must already - exist.","strongType":"ExistingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/networkSecurityGroups"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"setbypolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"},"nsgName":{"type":"string"},"rgName":{"type":"string"}},"variables":{"storageDeployName":"[concat(''policyStorage_'', - uniqueString(parameters(''location''), parameters(''nsgName'')))]"},"resources":[{"type":"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings","name":"[concat(parameters(''nsgName''),''/Microsoft.Insights/setbypolicy'')]","apiVersion":"2017-05-01-preview","location":"[parameters(''location'')]","dependsOn":["[variables(''storageDeployName'')]"],"properties":{"storageAccountId":"[reference(variables(''storageDeployName'')).outputs.storageAccountId.value]","logs":[{"category":"NetworkSecurityGroupEvent","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"NetworkSecurityGroupRuleCounter","enabled":true,"retentionPolicy":{"enabled":false,"days":0}}]}},{"apiVersion":"2017-05-10","name":"[variables(''storageDeployName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''rgName'')]","properties":{"mode":"incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"}},"resources":[{"apiVersion":"2017-06-01","type":"Microsoft.Storage/storageAccounts","name":"[concat(parameters(''storageprefix''), - parameters(''location''))]","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"[parameters(''location'')]","tags":{"created-by":"policy"},"scale":null,"properties":{"networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[],"virtualNetworkRules":[]},"supportsHttpsTrafficOnly":true}}],"outputs":{"storageAccountId":{"type":"string","value":"[resourceId(parameters(''rgName''), - ''Microsoft.Storage/storageAccounts'',concat(parameters(''storagePrefix''), - parameters(''location'')))]"}}}}}]},"parameters":{"location":{"value":"[field(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"},"rgName":{"value":"[parameters(''rgName'')]"},"nsgName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","type":"Microsoft.Authorization/policyDefinitions","name":"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89"},{"properties":{"displayName":"Remote - debugging should be turned off for Web Application","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group does not contain only the specified - members","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows virtual machines in which the Administrators group does not contain - only the specified members. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembers"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: - Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center monitors the data discovery and classification scan results - for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed - virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The - list of SKUs that can be specified for virtual machines.","displayName":"Allowed - SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Allow - resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that allow re-use of the previous 24 - passwords. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"EnforcePasswordHistory"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Diagnostic - logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"[Deprecated]: - Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the DSC configuration is - not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows VMs on which - the Desired State Configuration (DSC) configuration is not compliant. This - policy is only applicable to machines with WMF 4 and above. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Audit - Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows Server virtual machines on which Windows Serial Console - is not enabled. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsSerialConsole"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"Allow - resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified Windows PowerShell - execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - where Windows PowerShell is not configured to use the specified PowerShell - execution policy. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', - ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Vulnerabilities - in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers - which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"[Preview]: - Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMSS as non-compliant if the VM Image (OS) is not in the list defined and - the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"Allowed - locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy - enables you to restrict the locations your organization can specify when deploying - resources. Use to enforce your geo-compliance requirements. Excludes resource - groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Subnets - should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect - your subnet from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Advanced - Threat Protection types should be set to ''All'' in SQL server Advanced Data - Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable all Advanced Threat Protection types on your SQL - servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Allowed - locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This - policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Remote - debugging should be turned off for API App","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on an API app. Remote debugging - should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated - accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that allow remote connections from - accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that allow remote connections from accounts without passwords. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key - Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - Azure SQL servers which do not have recurring vulnerability assessment scans - enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names (supports wildcards)","description":"A semicolon-separated list of the - names of the applications that should not be installed. e.g. ''Microsoft SQL - Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', - ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that do not have the passwd file permissions - set to 0644","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Linux virtual machines that - do not have the passwd file permissions set to 0644. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group does not contain all of the - specified members","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines in which the Administrators group does - not contain all of the specified members. This policy should only be used - along with its corresponding deploy policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembersToInclude"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not contain the specified certificates in Trusted - Root","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows VMs that do not contain the specified certificates in the Trusted - Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - This policy should only be used along with its corresponding deploy policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsCertificateInTrustedRoot"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This - is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization - rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit - existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the password complexity - setting enabled. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordMustMeetComplexityRequirements"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that have not restarted within the - specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that have not restarted within the specified number of days. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', - ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","type":"Microsoft.Authorization/policyDefinitions","name":"f4b245d4-46c9-42be-9b1a-49e2b5b94194"},{"properties":{"displayName":"Deploy - Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Auditing is enabled on SQL Servers for enhanced security - and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The - value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention - days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource - group name for storage accounts","description":"Auditing writes database events - to an audit log in your Azure Storage account (a storage account will be created - in each region where a SQL Server is created that will be shared by all servers - in that region). Important - for proper operation of Auditing do not delete - or rename the resource group or the storage accounts.","strongType":"existingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"Default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"auditRetentionDays":{"type":"string"},"storageAccountsResourceGroup":{"type":"string"},"location":{"type":"string"}},"variables":{"retentionDays":"[int(parameters(''auditRetentionDays''))]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), - parameters(''location''), parameters(''storageAccountsResourceGroup''))]","locationCode":"[substring(parameters(''location''), - 0, 3)]","storageName":"[tolower(concat(''sqlaudit'', variables(''locationCode''), - variables(''uniqueStorage'')))]","createStorageAccountDeploymentName":"[concat(''sqlServerAuditingStorageAccount-'', - uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect - your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines where Windows PowerShell is not configured - to use the specified PowerShell execution policy. This policy should only - be used along with its corresponding deploy policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPowerShellExecutionPolicy"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"External - accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Diagnostic - logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Diagnostic - logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"[Preview]: - Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - your Kubernetes service cluster to a later Kubernetes version to protect against - known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Audit - Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that do not have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"installed_application_linux"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities - on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor - Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"[Limited - Preview]: Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces containers to listen only on allowed ports in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed - container ports regex","description":"Regex representing container ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Limited - Preview]: Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces the specified labels are provided for pods in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated - list of labels","description":"A comma-separated list of labels to be specified - on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Limited - Preview]: Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces services to listen only on allowed ports in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed - service ports regex","description":"Regex representing service ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ServiceAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedServicePortsRegex":"[parameters(''allowedServicePortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077","type":"Microsoft.Authorization/policyDefinitions","name":"25dee3db-6ce0-4c02-ab5d-245887b24077"},{"properties":{"displayName":"[Limited - Preview]: Enforce HTTPS ingress in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited - Preview policies only work for registered subscriptions. To register, please - go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Limited - Preview]: Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy ensures only allowed container images are running in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed - container images regex","description":"Regex representing container images - allowed in Kubernetes cluster. E.g. Regex of azure container registry images - is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedImages","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66","type":"Microsoft.Authorization/policyDefinitions","name":"5f86cb6e-c4da-441b-807c-44bd0cc14e66"},{"properties":{"displayName":"[Limited - Preview]: Do not allow privileged containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy does not allow privileged containers creation in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Limited - Preview]: Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy ensures CPU and memory resource limits are defined on containers in - an Azure Kubernetes Service cluster. Limited Preview policies only work for - registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited - Preview]: Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces load balancers do not have public IPs in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Limited - Preview]: Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"jilim - single allowed location","policyType":"Custom","mode":"All","description":"This - policy enables you to restrict the locations your organization can specify - when deploying resources. Use to enforce your geo-compliance requirements. - Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and - resources that use the ''global'' region.","metadata":{"category":"Test"},"parameters":{"allowedLocation":{"type":"String","metadata":{"displayName":"Allowed - location","description":"The location that can be specified when deploying - resources.","strongType":"location"}}},"policyRule":{"if":{"allOf":[{"field":"location","notEquals":"[parameters(''allowedLocation'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/14bee682-2231-4113-bb3a-c067a49c6035","type":"Microsoft.Authorization/policyDefinitions","name":"14bee682-2231-4113-bb3a-c067a49c6035"},{"properties":{"displayName":"jilim - test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-28T00:42:23.9594435Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8a333d4f-45e8-4adf-b777-0f3be1fc4663","type":"Microsoft.Authorization/policyDefinitions","name":"8a333d4f-45e8-4adf-b777-0f3be1fc4663"},{"properties":{"displayName":"VMs - with no Managed Disk","policyType":"Custom","mode":"All","description":"Deny - all VMs with no Managed Disk","metadata":{"category":"General"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.compute/virtualmachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id","notlike":"*"}]},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/95696b24-404f-4376-a9a6-7fa8ba91e4d5","type":"Microsoft.Authorization/policyDefinitions","name":"95696b24-404f-4376-a9a6-7fa8ba91e4d5"},{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:13.1409229Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"},{"properties":{"displayName":"rohitbh - def [2]","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-04-30T23:58:47.6628901Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyDefinitions/5786a43d-b79a-4f5d-a7b8-b43925a693e0","type":"Microsoft.Authorization/policyDefinitions","name":"5786a43d-b79a-4f5d-a7b8-b43925a693e0"},{"properties":{"displayName":"Azure - KeyVault Allowed Locations","policyType":"Custom","mode":"All","description":"Azure - KeyVault Allowed Locations","metadata":{"category":"Key Vault"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyDefinitions/e1d7de9f-42f0-4af1-9ee0-0187bfce08d5","type":"Microsoft.Authorization/policyDefinitions","name":"e1d7de9f-42f0-4af1-9ee0-0187bfce08d5"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Updated - Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:36:45.266863Z","updatedBy":"5549abd9-7aae-41fa-a276-5060abe448d5","updatedOn":"2019-07-15T20:36:46.9168436Z"},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps4472","type":"Microsoft.Authorization/policyDefinitions","name":"ps4472"},{"properties":{"policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Unit - test junk: sorry for littering. Please delete me!","metadata":{"createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:15:59.703567Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7414","type":"Microsoft.Authorization/policyDefinitions","name":"ps7414"},{"properties":{"policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Unit - test junk: sorry for littering. Please delete me!","metadata":{"createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:19:56.533839Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps8243","type":"Microsoft.Authorization/policyDefinitions","name":"ps8243"}]}' - headers: - cache-control: - - no-cache - content-length: - - '475763' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:13 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:13.1409229Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '809' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:14 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: '{"properties": {"displayName": "test_assignment000005", "policyDefinitionId": - "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", - "scope": "/subscriptions/00000000-0000-0000-0000-000000000000", "parameters": - {"allowedLocations": {"value": ["australiaeast", "eastus", "japaneast", "westus"]}}}, - "sku": {"name": "A0", "tier": "Free"}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy assignment create - Connection: - - keep-alive - Content-Length: - - '417' - Content-Type: - - application/json; charset=utf-8 - ParameterSetName: - - --policy -n --display-name --params --scope - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000004?api-version=2019-01-01 - response: - body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:15.0626025Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000004","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000004"}' - headers: - cache-control: - - no-cache - content-length: - - '761' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:15 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy assignment delete - Connection: - - keep-alive - Content-Length: - - '0' - ParameterSetName: - - -n --scope - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: DELETE - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000004?api-version=2019-01-01 - response: - body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000005","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:15.0626025Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/cli-test-polassg000004","type":"Microsoft.Authorization/policyAssignments","name":"cli-test-polassg000004"}' - headers: - cache-control: - - no-cache - content-length: - - '761' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:15 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-deletes: - - '14999' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy assignment list - Connection: - - keep-alive - ParameterSetName: - - --disable-scope-strict-match - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-01-01 - response: - body: - string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Enable Monitoring in Azure Security Center","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/1e4e70f9cd4846268b6998ee","type":"Microsoft.Authorization/policyAssignments","name":"1e4e70f9cd4846268b6998ee","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"VMs - with no Managed Disk","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/95696b24-404f-4376-a9a6-7fa8ba91e4d5","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Tigran - Shahbazian","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/21e5086343384f34a3b2d10b","type":"Microsoft.Authorization/policyAssignments","name":"21e5086343384f34a3b2d10b"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - unrestricted network access to storage accounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/4d31128e32d04a0098fd536e","type":"Microsoft.Authorization/policyAssignments","name":"4d31128e32d04a0098fd536e","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Enable Monitoring in Azure Security Center","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/4e4179ff39194a62bad4ef3e","type":"Microsoft.Authorization/policyAssignments","name":"4e4179ff39194a62bad4ef3e","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Audit missing blob encryption for storage accounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/5e9286a7cef840afb36b18a7","type":"Microsoft.Authorization/policyAssignments","name":"5e9286a7cef840afb36b18a7","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Enable Monitoring in Azure Security Center","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Rohit - Bhardwaj","parameterScopes":{},"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-05-01T00:17:00.0617598Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d58dea05c8704a33b6c8e43e","type":"Microsoft.Authorization/policyAssignments","name":"d58dea05c8704a33b6c8e43e","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Enforce - tag and its value","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/stuartko_testrg1","notScopes":[],"parameters":{"tagName":{"value":"blahName"},"tagValue":{"value":"blahValue"}},"metadata":{"assignedBy":"Stuart - Konen","parameterScopes":{}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/stuartko_testrg1/providers/Microsoft.Authorization/policyAssignments/41dfc116d41aa99bd1dfdd32578eecd9cf75e14481795fc90975dbb25ed97d70","type":"Microsoft.Authorization/policyAssignments","name":"41dfc116d41aa99bd1dfdd32578eecd9cf75e14481795fc90975dbb25ed97d70"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"jilmntest - Append tag and its value from the resource group","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimntest","notScopes":[],"parameters":{"tagName":{"value":"tag1"}},"metadata":{"assignedBy":"Jin - Soon Lim","parameterScopes":{},"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-24T23:20:46.5138204Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimntest/providers/Microsoft.Authorization/policyAssignments/56af151b043845ba9dfe0e84","type":"Microsoft.Authorization/policyAssignments","name":"56af151b043845ba9dfe0e84","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Azure - KeyVault Allowed Locations","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyDefinitions/e1d7de9f-42f0-4af1-9ee0-0187bfce08d5","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ramya-test","notScopes":[],"parameters":{"allowedLocations":{"value":["westus"]}},"metadata":{"assignedBy":"Ramyasree - Chakka","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ramya-test"},"createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-05-15T23:11:34.9169304Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ramya-test/providers/Microsoft.Authorization/policyAssignments/8c219f36c4c449b198f38f45","type":"Microsoft.Authorization/policyAssignments","name":"8c219f36c4c449b198f38f45","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Enable Monitoring in Azure Security Center","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggpolicy","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Rohit - Bhardwaj","parameterScopes":{},"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-05-01T00:22:01.0195887Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggpolicy/providers/Microsoft.Authorization/policyAssignments/8a4555d353ed46bb856e9890","type":"Microsoft.Authorization/policyAssignments","name":"8a4555d353ed46bb856e9890","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Windows VMs","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimrg","notScopes":[],"parameters":{"logAnalytics":{"value":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-e78961ba-36fe-4739-9212-e3031b4c8db7-weu"}},"metadata":{"assignedBy":"Jin - Soon Lim","parameterScopes":{"logAnalytics":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-24T19:14:43.0131358Z","updatedBy":null,"updatedOn":null}},"identity":{"principalId":"ebd0adfd-2ebb-49ac-8356-2e445a21c226","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimrg/providers/Microsoft.Authorization/policyAssignments/9f4513e4b2254b3c9be27189","type":"Microsoft.Authorization/policyAssignments","name":"9f4513e4b2254b3c9be27189","location":"centralus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"jilim - Append tag and its value from the resource group","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimrg","notScopes":[],"parameters":{"tagName":{"value":"tag1"}},"metadata":{"assignedBy":"Jin - Soon Lim","parameterScopes":{},"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-24T21:57:46.067217Z","updatedBy":null,"updatedOn":null}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jilimrg/providers/Microsoft.Authorization/policyAssignments/f1b5c3295c3d4498abf1b7a9","type":"Microsoft.Authorization/policyAssignments","name":"f1b5c3295c3d4498abf1b7a9","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - enabling of diagnostic logs in Azure Data Lake Store","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","scope":"/providers/Microsoft.Management/managementGroups/PolicyUIMG","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/providers/Microsoft.Management/managementGroups/PolicyUIMG/providers/Microsoft.Authorization/policyAssignments/66926b7556734dcf9a80080f","type":"Microsoft.Authorization/policyAssignments","name":"66926b7556734dcf9a80080f","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit - VMs that do not use managed disks delete this","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","scope":"/providers/Microsoft.Management/managementGroups/PolicyUIMG","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-06-20T23:21:22.259084Z","updatedBy":null,"updatedOn":null}},"id":"/providers/Microsoft.Management/managementGroups/PolicyUIMG/providers/Microsoft.Authorization/policyAssignments/ebc169a314df42b9bf912b4f","type":"Microsoft.Authorization/policyAssignments","name":"ebc169a314df42b9bf912b4f","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"sandipsh - CRI 2 [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","scope":"/providers/Microsoft.Management/managementGroups/AzGovTest5","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Sandip - Shahane","parameterScopes":{}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyAssignments/8a5f4a42ed8743de909b269c","type":"Microsoft.Authorization/policyAssignments","name":"8a5f4a42ed8743de909b269c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","scope":"/providers/microsoft.management/managementgroups/AzGovTest5"},"id":"/providers/microsoft.management/managementgroups/AzGovTest5/providers/Microsoft.Authorization/policyAssignments/jilimcss","type":"Microsoft.Authorization/policyAssignments","name":"jilimcss"}]}' - headers: - cache-control: - - no-cache - content-length: - - '11997' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:15 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition delete - Connection: - - keep-alive - Content-Length: - - '0' - ParameterSetName: - - -n --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: DELETE - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-01-01 - response: - body: - string: '{"properties":{"displayName":"test_policy000003_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","createdOn":"2019-07-30T16:00:11.3042407Z","updatedBy":"82f25a3e-d28d-4c27-90d6-d92c79d98936","updatedOn":"2019-07-30T16:00:13.1409229Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' - headers: - cache-control: - - no-cache - content-length: - - '809' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:17 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-deletes: - - '14999' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition list - Connection: - - keep-alive - ParameterSetName: - - --subscription - User-Agent: - - python/3.7.4 (Windows-10-10.0.18362-SP0) msrest/0.6.8 msrest_azure/0.6.1 azure-mgmt-resource/3.1.0 - Azure-SDK-For-Python AZURECLI/2.0.69 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-01-01 - response: - body: - string: '{"value":[{"properties":{"displayName":"Audit virtual machines without - disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit - virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the remote host connection status does not match - the specified one","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the remote host connection - status does not match the specified one. This policy should only be used along - with its corresponding deploy policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsRemoteConnection"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"SQL - managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent - Data Encryption (TDE) with your own key support provides increased transparency - and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Diagnostic - logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Audit - SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit - VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"CORS - should not allow every resource to access your Function App","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - Function app. Allow only required domains to interact with your Function app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined - and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - values: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There - should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It - is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Disk - encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs - without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Audit - resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"SQL - server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent - Data Encryption (TDE) with your own key support provides increased transparency - and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which Windows Defender Exploit Guard - is not enabled. This policy should only be used along with its corresponding - deploy policy in an initiative/policy set. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"[Preview]: - Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict - access to the Kubernetes Service Management API by granting API access only - to IP addresses in specific ranges. It is recommended to limit access to authorized - IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote - debugging should be turned off for Function App","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on an function app. Remote - debugging should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not contain the specified - certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows VMs that - do not contain the specified certificates in the Trusted Root Certification - Authorities certificate store (Cert:\\LocalMachine\\Root). It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', - ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"[Preview]: - Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if the VM Image (OS) is not in the list defined and the - agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified applications - installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application - names (supports wildcards)","description":"A semicolon-separated list of the - names of the applications that should be installed. e.g. ''Microsoft SQL Server - 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', - ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group contains - any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group contains any of the specified members. It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members - to exclude","description":"A semicolon-separated list of members that should - be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', - ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have a minimum password - age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have a minimum password age of 1 day. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the specified Windows - PowerShell modules installed. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPowerShellModules"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"[Preview]: - Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure - security center has discovered that the networking configuration of some of - your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances which do not have recurring vulnerability assessment - scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined - and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Virtual - machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use - new Azure Resource Manager for your virtual machines to provide security enhancements - such as: stronger access control (RBAC), better auditing, ARM-based deployment - and governance, access to managed identities, access to key vault for secrets, - Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.classicCompute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Require - tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An - Azure Active Directory administrator should be provisioned for SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - provisioning of an Azure Active Directory administrator for your SQL server - to enable Azure AD authentication. Azure AD authentication enables simplified - permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure - security center has discovered that some of your virtual machines are running - web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"[Deprecated]: - Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Management - ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open - remote management ports are exposing your VM to a high level of risk from - Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Only - secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of only connections via SSL to Redis Cache. Use of secure connections - ensures authentication between the server and the service and protects data - in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not restrict the minimum - password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not restrict the minimum password length to 14 characters. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have a maximum password - age of 70 days. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MaximumPasswordAge"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Endpoint - protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit - the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Metric - alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit - configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric - name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', - subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, - ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Deploy - default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This - policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon - delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates - whether or not real time protection is enabled (default is true)"}},"ScheduledScanSettingsIsEnabled":{"type":"string","defaultValue":"false","metadata":{"description":"Indicates - whether or not custom scheduled scan settings are enabled (default is false)"}},"ScheduledScanSettingsScanType":{"type":"string","defaultValue":"Quick","metadata":{"description":"Indicates - whether scheduled scan setting type is set to Quick or Full (default is Quick)"}},"ScheduledScanSettingsDay":{"type":"string","defaultValue":"7","metadata":{"description":"Day - of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"}},"ScheduledScanSettingsTime":{"type":"string","defaultValue":"120","metadata":{"description":"When - to perform the scheduled scan, measured in minutes from midnight (0-1440). - For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Append - tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends - the specified tag and value when any resource which is missing this tag is - created or updated. Does not modify the tags of resources created before this - policy was applied until those resources are changed. Does not apply to resource - groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not store passwords using reversible - encryption. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"StorePasswordsUsingReversibleEncryption"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that allow remote connections from accounts - without passwords. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid110"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"[Deprecated]: - Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not joined to the specified domain. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain - Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', - ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if the VM Image (OS) is not in the list defined and the - agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs on which the specified services are not - installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the specified services are not installed and ''Running''. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service - names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', - ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that have accounts without passwords. It also creates a system-assigned managed - identity and deploys the VM extension for Guest Configuration. This policy - should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Audit - unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit - unrestricted network access in your storage account firewall settings. Instead, - configure network rules so only applications from allowed networks can access - the storage account. To allow connections from specific internet or on-premise - clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Diagnostic - logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have a maximum password - age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have a maximum password age of 70 days. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS - should not allow every resource to access your API App","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - API app. Allow only required domains to interact with your API app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Gateway - subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This - policy denies if a gateway subnet is configured with a network security group. - Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Deploy - Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2017-08-01-preview","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), - ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Automation - account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It - is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Deploy - Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"Storage - accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use - new Azure Resource Manager for your storage accounts to provide security enhancements - such as: stronger access control (RBAC), better auditing, Azure Resource Manager - based deployment and governance, access to managed identities, access to key - vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.classicStorage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Diagnostic - logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Advanced - data security settings for SQL managed instance should contain an email address - to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure - that an email address is provided for the ''Send alerts to'' field in the - Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"[Preview]: - Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define - Pod Security Policies to reduce the attack vector by removing unnecessary - application privileges. It is recommended to configure Pod Security Policies - to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. The list of OS images will be - updated over time as support is updated. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","type":"Microsoft.Authorization/policyDefinitions","name":"3be22e3b-d919-47aa-805e-8985dbeb0ad9"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. The list of OS images will be - updated over time as support is updated. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities - in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit - the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Deploy - default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Secure - transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - requirment of Secure transfer in your storage account. Secure transfer is - an option that forces your storage account to accept requests only from secure - connections (HTTPS). Use of HTTPS ensures authentication between the server - and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Diagnostic - logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Deprecated]: - Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network - Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Require - SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures all SQL servers use version 12.0","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require - automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This - policy enforces enabling automatic OS image patching on Virtual Machine Scale - Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Adaptive - Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Append - tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends - the specified tag and value when any resource group which is missing this - tag is created or updated. Does not modify the tags of resource groups created - before this policy was applied until those resource groups are changed.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Deploy - requirements to audit Linux VMs that do not have the specified applications - installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Linux virtual machines that - do not have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', - ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', - '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: - ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","type":"Microsoft.Authorization/policyDefinitions","name":"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"},{"properties":{"displayName":"A - maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It - is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"CORS - should not allow every resource to access your Web Application","policyType":"BuiltIn","mode":"All","description":"Cross - origin Resource Sharing (CORS) should not allow all domains to access your - web application. Allow only required domains to interact with your web app.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"CorsRestrictionsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have a minimum password - age of 1 day. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MinimumPasswordAge"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not restrict the minimum password - length to 14 characters. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MinimumPasswordLength"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Audit - Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"not_installed_application_linux"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the remote host connection - status does not match the specified one","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the remote host connection status does not match the specified one. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', - ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', - ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', - ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;host","value":"[parameters(''host'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;port","value":"[parameters(''port'')]"},{"name":"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect","value":"[parameters(''shouldConnect'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMSS as non-compliant if the VM Image (OS) is not in the list defined and - the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"External - accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"[Deprecated]: - Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WhitelistedApplication"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Allow - resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: - Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the - list defined and the agent is not installed. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"variables":{"vmExtensionName":"MMAExtension","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux","vmExtensionTypeHandlerVersion":"1.7"},"resources":[{"name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","type":"Microsoft.Compute/virtualMachineScaleSets/extensions","location":"[parameters(''location'')]","apiVersion":"2018-06-01","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), - ''2015-03-20'').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), - ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"External - accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Audit - Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows web servers that are not using secure communication - protocols (TLS 1.1 or TLS 1.2). This policy should only be used along with - its corresponding deploy policy in an initiative. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AuditSecureProtocol"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy - Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Data Security on SQL Servers. This includes turning - on Threat Detection and Vulnerability Assessment. It will automatically create - a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), - variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', - variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2016-01-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"Storage","properties":{}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/vulnerabilityAssessments","apiVersion":"2018-06-01-preview","properties":{"storageContainerPath":"[concat(reference(resourceId(''Microsoft.Storage/storageAccounts'', - variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', - variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', - variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Service - Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","policyType":"BuiltIn","mode":"Indexed","description":"Service - Fabric provides three levels of protection (None, Sign and EncryptAndSign) - for node-to-node communication using a primary cluster certificate. Set the - protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"[Deprecated]: - Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This - policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the Log Analytics agent - is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the Log Analytics agent is not connected to the specified workspaces. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative/policy set. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', - ''='', parameters(''WorkspaceId'')))]"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which Windows Defender Exploit - Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - on which Windows Defender Exploit Guard is not enabled. It also creates a - system-assigned managed identity and deploys the VM extension for Guest Configuration. - This policy should only be used along with its corresponding audit policy - in an initiative/policy set. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', - ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","type":"Microsoft.Authorization/policyDefinitions","name":"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d"},{"properties":{"displayName":"[Deprecated]: - Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP - Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Deprecated - accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated - accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Not - allowed resource types","policyType":"BuiltIn","mode":"All","description":"This - policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The - list of resource types that cannot be deployed.","displayName":"Not allowed - resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Function - App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Allow - resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows VMs on which the Desired State Configuration (DSC) configuration - is not compliant. This policy is only applicable to machines with WMF 4 and - above. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsDscConfiguration"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that allow re-use of the previous - 24 passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that allow re-use of the previous 24 passwords. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","type":"Microsoft.Authorization/policyDefinitions","name":"726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"properties":{"displayName":"Allowed - storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The - list of SKUs that can be specified for storage accounts.","displayName":"Allowed - SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"[Deprecated]: - Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of diagnostic logs on the app. This enables you to recreate activity - trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Vulnerabilities - should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors - vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: - Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy - Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list - defined and the agent is not installed. Note: if your scale set upgradePolicy - is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), - ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Deploy - requirements to audit Windows Server VMs on which Windows Serial Console is - not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows Server virtual machines - on which Windows Serial Console is not enabled. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS - Port Number","description":"An integer indicating the COM port to be used - for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS - Baud Rate","description":"An integer indicating the baud rate to be used for - the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', - ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', - ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Diagnostic - logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: - Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures blob encryption for storage accounts is turned on. It only - applies to Microsoft.Storage resource types, not other storage providers. - This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Audit - Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"NotInstalledApplication"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that have not restarted within the - specified number of days. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"MachineLastBootUpTime"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not have the password complexity - setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the password complexity setting enabled. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Audit - diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource - Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"SQL - Auditing settings should have Action-Groups configured to capture critical - activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups - property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, - FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Diagnostic - logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network - interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy denies the network interfaces which are configured with any public - IP. Public IP addresses allow internet resources to communicate inbound to - Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Deploy - SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), - ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System - updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing - security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Require - specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Deploy - requirements to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', - ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', - '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent","value":"[concat(''packages: - ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Network - interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This - policy denies the network interfaces which enabled IP forwarding. The setting - of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"SQL - servers should be configured with auditing retention days greater than 90 - days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Audit - Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines with a pending reboot. This policy - should only be used along with its corresponding deploy policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPendingReboot"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Require - tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag - Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that do not store passwords using - reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not store passwords using reversible encryption. It also creates a - system-assigned managed identity and deploys the VM extension for Guest Configuration. - This policy should only be used along with its corresponding audit policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified Windows PowerShell - modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that do not have the specified Windows PowerShell modules installed. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell - Modules","description":"A semicolon-separated list of the names of the PowerShell - modules that should be installed. You may also specify a specific version - of a module that should be installed by including a comma after the module - name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', - ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that contain certificates expiring within the specified - number of days","policyType":"BuiltIn","mode":"All","description":"This policy - audits Windows virtual machines that contain certificates expiring within - the specified number of days. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"CertificateExpiration"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group does not - contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group does not contain all of the specified members. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members - to include","description":"A semicolon-separated list of members that should - be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', - ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Allow - resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Require - specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Advanced - data security settings for SQL server should contain an email address to receive - security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure - that an email address is provided for the ''Send alerts to'' field in the - Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Allow - resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Azure SQL Database to stream to a regional Event - Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Access - through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure - Security center has identified some of your Network Security Groups'' inbound - rules to be too permissive. Inbound rules should not allow access from ''Any'' - or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Append - tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends - the specified tag with its value from the resource group when any resource - which is missing this tag is created or updated. Does not modify the tags - of resources created before this policy was applied until those resources - are changed.","metadata":{"category":"General"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","exists":"true"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Audit - Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that are not set to the specified time - zone. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsTimeZone"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the Log Analytics agent is - not connected to the specified workspaces. This policy should only be used - along with its corresponding deploy policy in an initiative/policy set. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsLogAnalyticsAgentConnection"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Allowed - resource types","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify the resource types that your organization can - deploy. Only resource types that support ''tags'' and ''location'' will be - affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The - list of resource types that can be deployed.","displayName":"Allowed resource - types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"All - authorization rules except RootManageSharedAccessKey should be removed from - Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service - Bus clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service - Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Audit - Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that are not joined to the specified - domain. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsDomainMembership"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Audit - usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit - built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC - roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web - Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired - Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"DDoS - Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS - protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Require - encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data - Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Monitor - unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted - SQL databases will be monitored by Azure Security Center as recommendations","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Deploy - network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a network watcher resource in regions with virtual networks. - You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', - parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Automatic - provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs - security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Advanced - data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced - data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"[Preview]: - Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To - provide granular filtering on the actions that users can perform, use Role-Based - Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"Allow - resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.environment","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Email - notifications to admins and subscription owners should be enabled in SQL managed - instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that ''email notification to admins and subscription owners'' is enabled in - the SQL managed instance advanced threat protection settings. This ensures - that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Monitor - missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers - without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"Monitor - unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL - servers which don''t have SQL auditing turned on will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Just-In-Time - network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that do not have the passwd file permissions - set to 0644. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid121"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"All - authorization rules except RootManageSharedAccessKey should be removed from - Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event - Hub clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event - Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Deploy - requirements to audit Windows web servers that are not using secure communication - protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows web servers that - are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AuditSecureProtocol"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"},{"properties":{"displayName":"Diagnostic - logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"Service - Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit - usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Diagnostic - logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit - enabling of diagnostic logs on the app. This enables you to recreate activity - trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"API - App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs in which the Administrators group does not - contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group does not contain only the specified members. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A - semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', - ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"},{"properties":{"displayName":"[Deprecated]: - Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"[Preview]: - IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling - IP forwarding on a virtual machine''s NIC allows the machine to receive traffic - addressed to other destinations. IP forwarding is rarely required (e.g., when - using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced - Threat Protection types should be set to ''All'' in SQL managed instance Advanced - Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable all Advanced Threat Protection types on your SQL - servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group contains any of the specified - members","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows virtual machines in which the Administrators group contains any of - the specified members. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembersToExclude"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Allow - resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not set to the specified time zone. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) - International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) - Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) - Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) - Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) - Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time - (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US - & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, - Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio - Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) - Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks - and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) - Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San - Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) - Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) - Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) - Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated - Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) - Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, - Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) - Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) - Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, - Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) - West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) - Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) - Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, - Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) - Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) - Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, - St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu - Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) - Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) - Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) - Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) - Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) - Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) - Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, - Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) - Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, - Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, - Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) - Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) - Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) - Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) - Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) - Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) - Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) - Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) - Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) - Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) - Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', - ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"},{"properties":{"displayName":"Audit - Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines on which the specified services are - not installed and ''Running''. This policy should only be used along with - its corresponding deploy policy in an initiative. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsServiceStatus"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"System - updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit - whether there are any missing system security updates and critical updates - that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: - Audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that have accounts without passwords. - This policy should only be used along with its corresponding deploy policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordPolicy_msid232"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that contain certificates expiring - within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that contain certificates expiring within the specified number of days. It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' - which is the root certificate store path, so all certificates on the machine - will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', - ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', - ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', - ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', - ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', - ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Email - notifications to admins and subscription owners should be enabled in SQL server - advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that ''email notification to admins and subscription owners'' is enabled in - the SQL server advanced threat protection settings. This ensures that any - detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"[Deprecated]: - API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Diagnostic - logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with a pending reboot. It also creates a system-assigned managed identity - and deploys the VM extension for Guest Configuration. This policy should only - be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c","type":"Microsoft.Authorization/policyDefinitions","name":"c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This - policy automatically deploys diagnostic settings to network security groups. - A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage - Account Prefix for Regional Storage Account","description":"This prefix will - be combined with the network security group location to form the created storage - account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource - Group Name for Storage Account (must exist)","description":"The resource group - that the storage account will be created in. This resource group must already - exist.","strongType":"ExistingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/networkSecurityGroups"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"setbypolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"},"nsgName":{"type":"string"},"rgName":{"type":"string"}},"variables":{"storageDeployName":"[concat(''policyStorage_'', - uniqueString(parameters(''location''), parameters(''nsgName'')))]"},"resources":[{"type":"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings","name":"[concat(parameters(''nsgName''),''/Microsoft.Insights/setbypolicy'')]","apiVersion":"2017-05-01-preview","location":"[parameters(''location'')]","dependsOn":["[variables(''storageDeployName'')]"],"properties":{"storageAccountId":"[reference(variables(''storageDeployName'')).outputs.storageAccountId.value]","logs":[{"category":"NetworkSecurityGroupEvent","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"NetworkSecurityGroupRuleCounter","enabled":true,"retentionPolicy":{"enabled":false,"days":0}}]}},{"apiVersion":"2017-05-10","name":"[variables(''storageDeployName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''rgName'')]","properties":{"mode":"incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"storagePrefix":{"type":"string"}},"resources":[{"apiVersion":"2017-06-01","type":"Microsoft.Storage/storageAccounts","name":"[concat(parameters(''storageprefix''), - parameters(''location''))]","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"[parameters(''location'')]","tags":{"created-by":"policy"},"scale":null,"properties":{"networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[],"virtualNetworkRules":[]},"supportsHttpsTrafficOnly":true}}],"outputs":{"storageAccountId":{"type":"string","value":"[resourceId(parameters(''rgName''), - ''Microsoft.Storage/storageAccounts'',concat(parameters(''storagePrefix''), - parameters(''location'')))]"}}}}}]},"parameters":{"location":{"value":"[field(''location'')]"},"storagePrefix":{"value":"[parameters(''storagePrefix'')]"},"rgName":{"value":"[parameters(''rgName'')]"},"nsgName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","type":"Microsoft.Authorization/policyDefinitions","name":"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89"},{"properties":{"displayName":"Remote - debugging should be turned off for Web Application","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group does not contain only the specified - members","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows virtual machines in which the Administrators group does not contain - only the specified members. This policy should only be used along with its - corresponding deploy policy in an initiative. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembers"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: - Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center monitors the data discovery and classification scan results - for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed - virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The - list of SKUs that can be specified for virtual machines.","displayName":"Allowed - SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Allow - resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that allow re-use of the previous 24 - passwords. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"EnforcePasswordHistory"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Diagnostic - logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"[Deprecated]: - Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs on which the DSC configuration is - not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows VMs on which - the Desired State Configuration (DSC) configuration is not compliant. This - policy is only applicable to machines with WMF 4 and above. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Audit - Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows Server virtual machines on which Windows Serial Console - is not enabled. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsSerialConsole"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use - of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"Allow - resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that do not have the specified Windows PowerShell - execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - where Windows PowerShell is not configured to use the specified PowerShell - execution policy. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', - ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Vulnerabilities - in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers - which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"[Preview]: - Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMSS as non-compliant if the VM Image (OS) is not in the list defined and - the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"Allowed - locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy - enables you to restrict the locations your organization can specify when deploying - resources. Use to enforce your geo-compliance requirements. Excludes resource - groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"[Deprecated]: - Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Subnets - should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect - your subnet from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Advanced - Threat Protection types should be set to ''All'' in SQL server Advanced Data - Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable all Advanced Threat Protection types on your SQL - servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Allowed - locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This - policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"[Deprecated]: - Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The - Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Remote - debugging should be turned off for API App","policyType":"BuiltIn","mode":"All","description":"Remote - debugging requires inbound ports to be opened on an API app. Remote debugging - should be turned off.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoteDebuggingForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated - accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that allow remote connections from - accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that allow remote connections from accounts without passwords. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"Deploy - Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key - Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''vaultName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - Azure SQL servers which do not have recurring vulnerability assessment scans - enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy - requirements to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that have the specified applications installed. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application - names (supports wildcards)","description":"A semicolon-separated list of the - names of the applications that should not be installed. e.g. ''Microsoft SQL - Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', - ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Linux VMs that do not have the passwd file permissions - set to 0644","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Linux virtual machines that - do not have the passwd file permissions set to 0644. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"Audit - Windows VMs in which the Administrators group does not contain all of the - specified members","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines in which the Administrators group does - not contain all of the specified members. This policy should only be used - along with its corresponding deploy policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"AdministratorsGroupMembersToInclude"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not contain the specified certificates in Trusted - Root","policyType":"BuiltIn","mode":"All","description":"This policy audits - Windows VMs that do not contain the specified certificates in the Trusted - Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - This policy should only be used along with its corresponding deploy policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsCertificateInTrustedRoot"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"[Preview]: - Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This - is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization - rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit - existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: - Audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines that do not have the password complexity - setting enabled. This policy should only be used along with its corresponding - deploy policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"PasswordMustMeetComplexityRequirements"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs that have not restarted within the - specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that have not restarted within the specified number of days. It also creates - a system-assigned managed identity and deploys the VM extension for Guest - Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', - ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","type":"Microsoft.Authorization/policyDefinitions","name":"f4b245d4-46c9-42be-9b1a-49e2b5b94194"},{"properties":{"displayName":"Deploy - Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Auditing is enabled on SQL Servers for enhanced security - and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The - value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention - days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource - group name for storage accounts","description":"Auditing writes database events - to an audit log in your Azure Storage account (a storage account will be created - in each region where a SQL Server is created that will be shared by all servers - in that region). Important - for proper operation of Auditing do not delete - or rename the resource group or the storage accounts.","strongType":"existingResourceGroups"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"Default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"auditRetentionDays":{"type":"string"},"storageAccountsResourceGroup":{"type":"string"},"location":{"type":"string"}},"variables":{"retentionDays":"[int(parameters(''auditRetentionDays''))]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), - parameters(''location''), parameters(''storageAccountsResourceGroup''))]","locationCode":"[substring(parameters(''location''), - 0, 3)]","storageName":"[tolower(concat(''sqlaudit'', variables(''locationCode''), - variables(''uniqueStorage'')))]","createStorageAccountDeploymentName":"[concat(''sqlServerAuditingStorageAccount-'', - uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), - ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect - your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Audit - Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This - policy audits Windows virtual machines where Windows PowerShell is not configured - to use the specified PowerShell execution policy. This policy should only - be used along with its corresponding deploy policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"WindowsPowerShellExecutionPolicy"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"External - accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External - accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Diagnostic - logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Diagnostic - logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - enabling of diagnostic logs. This enables you to recreate activity trails - to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"[Preview]: - Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - your Kubernetes service cluster to a later Kubernetes version to protect against - known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Audit - Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This - policy audits Linux virtual machines that do not have the specified applications - installed. This policy should only be used along with its corresponding deploy - policy in an initiative. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.GuestConfiguration/guestConfigurationAssignments"},{"field":"name","equals":"installed_application_linux"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","notEquals":"Compliant"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities - on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor - Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"[Limited - Preview]: Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces containers to listen only on allowed ports in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed - container ports regex","description":"Regex representing container ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Limited - Preview]: Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces the specified labels are provided for pods in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated - list of labels","description":"A comma-separated list of labels to be specified - on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Limited - Preview]: Ensure services listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces services to listen only on allowed ports in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed - service ports regex","description":"Regex representing service ports allowed - in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ServiceAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedServicePortsRegex":"[parameters(''allowedServicePortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077","type":"Microsoft.Authorization/policyDefinitions","name":"25dee3db-6ce0-4c02-ab5d-245887b24077"},{"properties":{"displayName":"[Limited - Preview]: Enforce HTTPS ingress in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited - Preview policies only work for registered subscriptions. To register, please - go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Limited - Preview]: Ensure only allowed container images in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy ensures only allowed container images are running in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed - container images regex","description":"Regex representing container images - allowed in Kubernetes cluster. E.g. Regex of azure container registry images - is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedImages","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66","type":"Microsoft.Authorization/policyDefinitions","name":"5f86cb6e-c4da-441b-807c-44bd0cc14e66"},{"properties":{"displayName":"[Limited - Preview]: Do not allow privileged containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy does not allow privileged containers creation in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Limited - Preview]: Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy ensures CPU and memory resource limits are defined on containers in - an Azure Kubernetes Service cluster. Limited Preview policies only work for - registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited - Preview]: Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces load balancers do not have public IPs in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Limited - Preview]: Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This - policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes - Service cluster. Limited Preview policies only work for registered subscriptions. - To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes - service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"jilim - single allowed location","policyType":"Custom","mode":"All","description":"This - policy enables you to restrict the locations your organization can specify - when deploying resources. Use to enforce your geo-compliance requirements. - Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and - resources that use the ''global'' region.","metadata":{"category":"Test"},"parameters":{"allowedLocation":{"type":"String","metadata":{"displayName":"Allowed - location","description":"The location that can be specified when deploying - resources.","strongType":"location"}}},"policyRule":{"if":{"allOf":[{"field":"location","notEquals":"[parameters(''allowedLocation'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/14bee682-2231-4113-bb3a-c067a49c6035","type":"Microsoft.Authorization/policyDefinitions","name":"14bee682-2231-4113-bb3a-c067a49c6035"},{"properties":{"displayName":"jilim - test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-28T00:42:23.9594435Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8a333d4f-45e8-4adf-b777-0f3be1fc4663","type":"Microsoft.Authorization/policyDefinitions","name":"8a333d4f-45e8-4adf-b777-0f3be1fc4663"},{"properties":{"displayName":"VMs - with no Managed Disk","policyType":"Custom","mode":"All","description":"Deny - all VMs with no Managed Disk","metadata":{"category":"General"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.compute/virtualmachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id","notlike":"*"}]},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/95696b24-404f-4376-a9a6-7fa8ba91e4d5","type":"Microsoft.Authorization/policyDefinitions","name":"95696b24-404f-4376-a9a6-7fa8ba91e4d5"},{"properties":{"displayName":"rohitbh - def [2]","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-04-30T23:58:47.6628901Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyDefinitions/5786a43d-b79a-4f5d-a7b8-b43925a693e0","type":"Microsoft.Authorization/policyDefinitions","name":"5786a43d-b79a-4f5d-a7b8-b43925a693e0"},{"properties":{"displayName":"Azure - KeyVault Allowed Locations","policyType":"Custom","mode":"All","description":"Azure - KeyVault Allowed Locations","metadata":{"category":"Key Vault"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovTest5/providers/Microsoft.Authorization/policyDefinitions/e1d7de9f-42f0-4af1-9ee0-0187bfce08d5","type":"Microsoft.Authorization/policyDefinitions","name":"e1d7de9f-42f0-4af1-9ee0-0187bfce08d5"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Updated - Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:36:45.266863Z","updatedBy":"5549abd9-7aae-41fa-a276-5060abe448d5","updatedOn":"2019-07-15T20:36:46.9168436Z"},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps4472","type":"Microsoft.Authorization/policyDefinitions","name":"ps4472"},{"properties":{"policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Unit - test junk: sorry for littering. Please delete me!","metadata":{"createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:15:59.703567Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7414","type":"Microsoft.Authorization/policyDefinitions","name":"ps7414"},{"properties":{"policyType":"Custom","mode":"Microsoft.KeyVault.Data","description":"Unit - test junk: sorry for littering. Please delete me!","metadata":{"createdBy":"5549abd9-7aae-41fa-a276-5060abe448d5","createdOn":"2019-07-15T20:19:56.533839Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties/keyType","equals":"RSA"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps8243","type":"Microsoft.Authorization/policyDefinitions","name":"ps8243"}]}' - headers: - cache-control: - - no-cache - content-length: - - '474953' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 30 Jul 2019 16:00:27 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -version: 1 diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_default.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_default.yaml index f0f891fe968..ca415b02e28 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_default.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_default.yaml @@ -22,14 +22,14 @@ interactions: - -n --rules --params --display-name --description User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:18.1579052Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:27.0356983Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -40,7 +40,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:17 GMT + - Thu, 06 Feb 2020 00:13:26 GMT expires: - '-1' pragma: @@ -50,7 +50,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1199' + - '1197' status: code: 201 message: Created @@ -77,14 +77,14 @@ interactions: - -n --rules --mode --display-name --description User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_data_policy000005","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:19.7023855Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000004"}' + string: '{"properties":{"displayName":"test_data_policy000005","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:27.7615418Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000004"}' headers: cache-control: - no-cache @@ -93,7 +93,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:19 GMT + - Thu, 06 Feb 2020 00:13:27 GMT expires: - '-1' pragma: @@ -103,7 +103,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1198' + - '1199' status: code: 201 message: Created @@ -130,14 +130,14 @@ interactions: - -n --definitions --display-name --description --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -146,7 +146,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:22 GMT + - Thu, 06 Feb 2020 00:13:29 GMT expires: - '-1' pragma: @@ -156,7 +156,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1199' + - '1198' status: code: 201 message: Created @@ -175,14 +175,14 @@ interactions: - -n --display-name --description --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -191,7 +191,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:22 GMT + - Thu, 06 Feb 2020 00:13:29 GMT expires: - '-1' pragma: @@ -212,9 +212,9 @@ interactions: "desc_for_test_policyset_123_new", "metadata": {"category": "test2"}, "policyDefinitions": [{"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", "parameters": {"allowedLocations": {"value": ["australiaeast", "eastus", "japaneast", - "westus"]}}, "policyDefinitionReferenceId": "6474370888904838730"}, {"policyDefinitionId": + "westus"]}}, "policyDefinitionReferenceId": "2897656168822257042"}, {"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004", - "policyDefinitionReferenceId": "4285126740809313342"}]}}' + "policyDefinitionReferenceId": "14785188181418082073"}]}}' headers: Accept: - application/json @@ -225,21 +225,21 @@ interactions: Connection: - keep-alive Content-Length: - - '698' + - '699' Content-Type: - application/json; charset=utf-8 ParameterSetName: - -n --display-name --description --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:24.5192793Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:31.3724603Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -248,7 +248,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:24 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -279,7 +279,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -290,22 +290,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -315,7 +315,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -325,7 +325,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -333,7 +333,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -349,13 +349,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -365,15 +365,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -385,8 +385,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -484,12 +484,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -514,18 +514,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -538,30 +538,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -618,10 +618,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -647,7 +647,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -657,14 +657,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -677,20 +677,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -706,21 +729,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -776,19 +799,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -797,55 +820,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -1035,7 +1394,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -1047,7 +1406,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -1056,56 +1415,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -1116,16 +1476,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -1136,428 +1496,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -1567,7 +1934,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -1583,24 +1950,26 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"test_policysetwxjo4i","policyType":"Custom","description":"desc_for_test_policyset_123_new","parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"17488445668941566688","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset6rniub","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset6rniub"},{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:24.5192793Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}]}' + that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"Test + Modify initiative","policyType":"Custom","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:36.3227701Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-14T22:57:48.6939794Z"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"8044870099827093134","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"2352795843478363616","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","parameters":{}},{"policyDefinitionReferenceId":"5060779722072987833","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","parameters":{}},{"policyDefinitionReferenceId":"10653200271752784328","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","parameters":{"tagName":{"value":"modifyinitiative"},"tagValue":{"value":"true"}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","type":"Microsoft.Authorization/policySetDefinitions","name":"55afae72-7df0-417b-9eb7-f756576c854a"},{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:31.3724603Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}]}' headers: cache-control: - no-cache content-length: - - '646313' + - '764805' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:25 GMT + - Thu, 06 Feb 2020 00:13:31 GMT expires: - '-1' pragma: @@ -1631,14 +2000,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:24.5192793Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:31.3724603Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -1647,7 +2016,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:26 GMT + - Thu, 06 Feb 2020 00:13:32 GMT expires: - '-1' pragma: @@ -1678,14 +2047,14 @@ interactions: - -d -n --display-name -g User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:24.5192793Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:31.3724603Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -1694,7 +2063,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:26 GMT + - Thu, 06 Feb 2020 00:13:32 GMT expires: - '-1' pragma: @@ -1732,23 +2101,23 @@ interactions: - -d -n --display-name -g User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000009","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:28.8171563Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000008"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000009","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:33.357871Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000008"}' headers: cache-control: - no-cache content-length: - - '914' + - '913' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:27 GMT + - Thu, 06 Feb 2020 00:13:32 GMT expires: - '-1' pragma: @@ -1758,10 +2127,81 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1199' + - '1198' status: code: 201 message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment list + Connection: + - keep-alive + ParameterSetName: + - --resource-group + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 + response: + body: + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test + Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"vnet + peering test","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/96bb4fa1-6ce9-4579-8d80-97e024120b63","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"asdf","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-03T19:36:05.7223738Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-03T19:50:59.2874334Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8c3bddd659eb4533a7c33a2a","type":"Microsoft.Authorization/policyAssignments","name":"8c3bddd659eb4533a7c33a2a"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support + audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This + initiative includes audit and VM Extension deployment policies that address + a subset of NIST SP 800-53 R4 controls. Additional policies will be added + in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Append + System MSI","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/696db945-5483-4632-95bc-d76037001b62","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-01-24T20:39:03.6373902Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/eba1a2389a7441e384067194","type":"Microsoft.Authorization/policyAssignments","name":"eba1a2389a7441e384067194"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000009","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:33.357871Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000008"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit + tag at MG","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000"],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:48.2629834Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-10-01T17:50:28.4254014Z"},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/ef26e8bbc3da423ebf7fcb80","type":"Microsoft.Authorization/policyAssignments","name":"ef26e8bbc3da423ebf7fcb80"}]}' + headers: + cache-control: + - no-cache + content-length: + - '12047' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:13:33 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK - request: body: null headers: @@ -1779,23 +2219,23 @@ interactions: - -n -g User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008?api-version=2019-09-01 response: body: - string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000009","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:28.8171563Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000008"}' + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000009","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:33.357871Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyset000001/providers/Microsoft.Authorization/policyAssignments/azurecli-test-policy-assignment000008","type":"Microsoft.Authorization/policyAssignments","name":"azurecli-test-policy-assignment000008"}' headers: cache-control: - no-cache content-length: - - '914' + - '913' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:29 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -1828,29 +2268,47 @@ interactions: - --disable-scope-strict-match User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 response: body: - string: '{"value":[{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - DataProtection (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center","createdBy":"2f8a138f-0955-44e1-9124-c386dfaecad4","createdOn":"2019-11-25T02:19:57.9086573Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/DataProtectionSecurityCenter","type":"Microsoft.Authorization/policyAssignments","name":"DataProtectionSecurityCenter"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC - Default (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"diagnosticsLogsInServiceFabricMonitoringEffect":{"value":"AuditIfNotExists"},"systemUpdatesMonitoringEffect":{"value":"AuditIfNotExists"},"systemConfigurationsMonitoringEffect":{"value":"AuditIfNotExists"},"endpointProtectionMonitoringEffect":{"value":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"value":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"value":"AuditIfNotExists"},"sqlEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"value":"Audit"},"jitNetworkAccessMonitoringEffect":{"value":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateLessThanOwnersMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateMoreThanOneOwnerMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"secureTransferToStorageAccountMonitoringEffect":{"value":"Audit"},"aadAuthenticationInSqlServerMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInRedisCacheMonitoringEffect":{"value":"Audit"},"clusterProtectionLevelInServiceFabricMonitoringEffect":{"value":"Audit"},"aadAuthenticationInServiceFabricMonitoringEffect":{"value":"Audit"},"diagnosticsLogsInServiceBusMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeStoreMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInEventHubMonitoringEffect":{"value":"AuditIfNotExists"},"metricAlertsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"value":"Audit"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"value":"Audit"},"classicComputeVMsMonitoringEffect":{"value":"Audit"},"classicStorageAccountsMonitoringEffect":{"value":"Audit"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInKeyVaultMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInStreamAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"value":"AuditIfNotExists"}},"description":"This - policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security - Center"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn","type":"Microsoft.Authorization/policyAssignments","name":"SecurityCenterBuiltIn"}]}' + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Test + Modify initiative","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"","metadata":{"assignedBy":"Robert + Gao","parameterScopes":{},"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:56.3908822Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-24T00:21:39.566802Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"48036e81-a2af-4e6c-9624-4908615cc36d","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/3cf2c941d7b2418ca7b860e2","type":"Microsoft.Authorization/policyAssignments","name":"3cf2c941d7b2418ca7b860e2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"vnet + peering test","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/96bb4fa1-6ce9-4579-8d80-97e024120b63","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"asdf","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-03T19:36:05.7223738Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-03T19:50:59.2874334Z"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8c3bddd659eb4533a7c33a2a","type":"Microsoft.Authorization/policyAssignments","name":"8c3bddd659eb4533a7c33a2a"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg + replace tag RG","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"tagName":{"value":"cheggReplaced"},"tagValue":{"value":"true_112019_246PM"}},"description":"","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-06T23:26:56.0841235Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-15T23:38:36.7397407Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"9f6b0b38-d4b1-43d7-9ec8-4905306fe6fa","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/98a7c096f5154b8eadd36f8c","type":"Microsoft.Authorization/policyAssignments","name":"98a7c096f5154b8eadd36f8c","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"[Preview]: + Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support + audit requirements","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"value":"fasdff"},"listOfResourceTypesWithDiagnosticLogsEnabled":{"value":["Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"value":"cheggert"},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"value":"rohitbh"}},"description":"This + initiative includes audit and VM Extension deployment policies that address + a subset of NIST SP 800-53 R4 controls. Additional policies will be added + in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-20T22:11:26.047177Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T20:40:02.1398566Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"c7519ca7-0d79-4b0f-af0b-0a4cfe3402d0","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/d17bc2764dae4ec1be07d178","type":"Microsoft.Authorization/policyAssignments","name":"d17bc2764dae4ec1be07d178","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Append + System MSI","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/696db945-5483-4632-95bc-d76037001b62","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-01-24T20:39:03.6373902Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/eba1a2389a7441e384067194","type":"Microsoft.Authorization/policyAssignments","name":"eba1a2389a7441e384067194"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"chegg: + Replace tag without becoming compliant","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:49.7568462Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"8b9d526a-9e43-4d1b-8bfe-cfe4d90f3b58","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/ee5909f9ee3f4c12bbed6efc","type":"Microsoft.Authorization/policyAssignments","name":"ee5909f9ee3f4c12bbed6efc","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (SUB)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:53.4694168Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-08T19:53:50.7651317Z"},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"dfd2385a-7700-420f-b164-bd9ffb52285b","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/fcddeb6113ec43798567dce2","type":"Microsoft.Authorization/policyAssignments","name":"fcddeb6113ec43798567dce2","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Empty + deployment on each KeyVault resource (MG)","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":[],"parameters":{},"description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"assignedBy":"Chris Eggert","parameterScopes":{},"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:44:17.3643721Z","updatedBy":null,"updatedOn":null},"enforcementMode":"DoNotEnforce"},"identity":{"principalId":"067c1aa0-c425-4ad5-80fe-41d4639b1d42","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","type":"SystemAssigned"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/d80d743b97874fd3bfd1d539","type":"Microsoft.Authorization/policyAssignments","name":"d80d743b97874fd3bfd1d539","location":"eastus"},{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Audit + tag at MG","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","scope":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest","notScopes":["/subscriptions/00000000-0000-0000-0000-000000000000"],"parameters":{},"metadata":{"assignedBy":"Chris + Eggert","parameterScopes":{},"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:48.2629834Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-10-01T17:50:28.4254014Z"},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyAssignments/ef26e8bbc3da423ebf7fcb80","type":"Microsoft.Authorization/policyAssignments","name":"ef26e8bbc3da423ebf7fcb80"}]}' headers: cache-control: - no-cache content-length: - - '4820' + - '11133' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:29 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -1883,14 +2341,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:22.6874937Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:24.5192793Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"6474370888904838730","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:30.009077Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:31.3724603Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"2897656168822257042","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache @@ -1899,7 +2357,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:30 GMT + - Thu, 06 Feb 2020 00:13:35 GMT expires: - '-1' pragma: @@ -1913,7 +2371,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-deletes: - - '14999' + - '14998' status: code: 200 message: OK @@ -1930,7 +2388,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -1941,22 +2399,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -1966,7 +2424,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -1976,7 +2434,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -1984,7 +2442,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -2000,13 +2458,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -2016,15 +2474,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -2036,8 +2494,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -2135,12 +2593,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -2165,18 +2623,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -2189,30 +2647,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -2269,10 +2727,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -2298,7 +2756,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -2308,14 +2766,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -2328,20 +2786,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -2357,21 +2838,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -2427,19 +2908,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -2448,55 +2929,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -2686,7 +3503,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -2698,7 +3515,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -2707,56 +3524,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -2767,16 +3585,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -2787,428 +3605,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this - policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policy setting is enabled, the shutdown command is available on the Windows + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -3218,7 +4043,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -3234,24 +4059,26 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"test_policysetwxjo4i","policyType":"Custom","description":"desc_for_test_policyset_123_new","parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"17488445668941566688","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset6rniub","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset6rniub"}]}' + that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"Test + Modify initiative","policyType":"Custom","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:36.3227701Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-14T22:57:48.6939794Z"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"8044870099827093134","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"2352795843478363616","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","parameters":{}},{"policyDefinitionReferenceId":"5060779722072987833","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","parameters":{}},{"policyDefinitionReferenceId":"10653200271752784328","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","parameters":{"tagName":{"value":"modifyinitiative"},"tagValue":{"value":"true"}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","type":"Microsoft.Authorization/policySetDefinitions","name":"55afae72-7df0-417b-9eb7-f756576c854a"}]}' headers: cache-control: - no-cache content-length: - - '645188' + - '763680' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:41 GMT + - Thu, 06 Feb 2020 00:13:46 GMT expires: - '-1' pragma: @@ -3292,25 +4119,25 @@ interactions: - -n --definitions --display-name --description --params --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:43.1150385Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:49.2243423Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when - deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"9117087060701545055","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"1087192126056377023","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache content-length: - - '1234' + - '1235' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:43 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -3320,7 +4147,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1199' + - '1198' status: code: 201 message: Created @@ -3339,25 +4166,25 @@ interactions: - -n --params --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:43.1150385Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:49.2243423Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when - deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"9117087060701545055","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"1087192126056377023","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache content-length: - - '1234' + - '1235' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:43 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -3379,9 +4206,9 @@ interactions: {"allowedLocations": {"type": "array", "metadata": {"displayName": "Allowed locations 2"}}}, "policyDefinitions": [{"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", "parameters": {"allowedLocations": {"value": "[parameters(''allowedLocations'')]"}}, - "policyDefinitionReferenceId": "9117087060701545055"}, {"policyDefinitionId": + "policyDefinitionReferenceId": "1087192126056377023"}, {"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004", - "policyDefinitionReferenceId": "4285126740809313342"}]}}' + "policyDefinitionReferenceId": "14785188181418082073"}]}}' headers: Accept: - application/json @@ -3392,31 +4219,31 @@ interactions: Connection: - keep-alive Content-Length: - - '789' + - '790' Content-Type: - application/json; charset=utf-8 ParameterSetName: - -n --params --metadata User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:43.1150385Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:44.5518313Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"9117087060701545055","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:49.2243423Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:50.4982231Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"1087192126056377023","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache content-length: - - '1211' + - '1212' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:44 GMT + - Thu, 06 Feb 2020 00:13:49 GMT expires: - '-1' pragma: @@ -3430,7 +4257,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1198' + - '1199' status: code: 200 message: OK @@ -3451,24 +4278,24 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:43.1150385Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-10T11:02:44.5518313Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"9117087060701545055","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"4285126740809313342","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' + string: '{"properties":{"displayName":"test_policyset000007_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:49.2243423Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:13:50.4982231Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"1087192126056377023","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"14785188181418082073","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000006","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000006"}' headers: cache-control: - no-cache content-length: - - '1211' + - '1212' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:45 GMT + - Thu, 06 Feb 2020 00:13:51 GMT expires: - '-1' pragma: @@ -3499,7 +4326,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -3510,22 +4337,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -3535,7 +4362,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -3545,7 +4372,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -3553,7 +4380,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -3569,13 +4396,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -3585,15 +4412,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -3605,8 +4432,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -3704,12 +4531,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -3734,18 +4561,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -3758,30 +4585,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -3838,10 +4665,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -3867,7 +4694,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -3877,14 +4704,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -3897,20 +4724,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -3926,21 +4776,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -3996,19 +4846,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -4017,55 +4867,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -4255,7 +5441,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -4267,7 +5453,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -4276,56 +5462,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -4336,16 +5523,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -4356,428 +5543,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -4787,7 +5981,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -4803,24 +5997,26 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"test_policysetwxjo4i","policyType":"Custom","description":"desc_for_test_policyset_123_new","parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"17488445668941566688","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset6rniub","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset6rniub"}]}' + that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"Test + Modify initiative","policyType":"Custom","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:36.3227701Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-14T22:57:48.6939794Z"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"8044870099827093134","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"2352795843478363616","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","parameters":{}},{"policyDefinitionReferenceId":"5060779722072987833","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","parameters":{}},{"policyDefinitionReferenceId":"10653200271752784328","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","parameters":{"tagName":{"value":"modifyinitiative"},"tagValue":{"value":"true"}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","type":"Microsoft.Authorization/policySetDefinitions","name":"55afae72-7df0-417b-9eb7-f756576c854a"}]}' headers: cache-control: - no-cache content-length: - - '645188' + - '763680' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:55 GMT + - Thu, 06 Feb 2020 00:13:57 GMT expires: - '-1' pragma: @@ -4853,14 +6049,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:18.1579052Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:27.0356983Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -4871,7 +6067,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:02:57 GMT + - Thu, 06 Feb 2020 00:14:01 GMT expires: - '-1' pragma: @@ -4906,14 +6102,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_data_policy000005","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-10T11:02:19.7023855Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000004"}' + string: '{"properties":{"displayName":"test_data_policy000005","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:13:27.7615418Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000004","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000004"}' headers: cache-control: - no-cache @@ -4922,7 +6118,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:03:07 GMT + - Thu, 06 Feb 2020 00:14:12 GMT expires: - '-1' pragma: @@ -4936,7 +6132,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-deletes: - - '14998' + - '14999' status: code: 200 message: OK @@ -4953,7 +6149,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -4962,41 +6158,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -5004,55 +6206,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5065,11 +6267,11 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -5081,67 +6283,69 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -5153,17 +6357,17 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5174,26 +6378,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -5201,7 +6407,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -5220,44 +6426,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -5266,96 +6478,98 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5365,11 +6579,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5379,55 +6593,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -5436,11 +6655,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5451,22 +6670,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5475,11 +6695,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5489,12 +6709,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5503,7 +6724,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5512,10 +6734,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -5523,22 +6745,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -5549,44 +6772,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -5594,48 +6819,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -5643,12 +6868,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5660,51 +6885,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -5712,18 +6944,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -5731,20 +6966,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5753,8 +6990,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5763,16 +7000,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5785,28 +7022,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5819,37 +7056,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -5860,22 +7098,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -5883,132 +7122,149 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -6018,25 +7274,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -6045,10 +7301,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -6058,18 +7314,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6078,36 +7334,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -6116,7 +7374,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6126,71 +7385,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -6200,7 +7460,17 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -6208,107 +7478,123 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -6318,7 +7604,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -6331,21 +7617,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6364,354 +7650,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -6720,9 +8039,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6735,21 +8054,22 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -6757,7 +8077,7 @@ interactions: Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6771,84 +8091,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -6857,109 +8180,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -6967,32 +8292,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -7002,17 +8328,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -7024,7 +8350,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -7032,73 +8358,74 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -7111,22 +8438,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -7134,11 +8462,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -7146,12 +8474,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -7159,11 +8487,12 @@ interactions: variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Configure - time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -7214,7 +8543,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7224,15 +8553,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -7240,72 +8570,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7314,10 +8652,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7327,32 +8665,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7361,13 +8699,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7379,31 +8718,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -7417,70 +8756,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -7488,13 +8828,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7502,70 +8842,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -7591,7 +8933,30 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -7612,10 +8977,12 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -7623,46 +8990,49 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7674,7 +9044,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -7686,7 +9056,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -7697,40 +9068,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7739,91 +9110,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7832,13 +9205,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS Baud Rate","description":"An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -7849,73 +9223,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7924,8 +9299,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -7935,13 +9310,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -7949,94 +9324,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -8056,7 +9433,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -8074,138 +9471,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -8213,18 +9622,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -8232,9 +9641,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8247,15 +9656,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -8263,18 +9674,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -8282,110 +9694,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8394,7 +9815,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8403,89 +9825,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies - whether local administrators are allowed to create connection security rules - that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies - the behavior for outbound connections for the Private profile that do not - match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules - that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -8517,7 +9942,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -8536,10 +9982,12 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8548,13 +9996,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -8565,36 +10013,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -8602,8 +10050,8 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -8611,11 +10059,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -8626,49 +10074,55 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This @@ -8676,103 +10130,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -8786,109 +10256,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -8896,42 +10370,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -8950,111 +10426,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -9062,172 +10541,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -9236,10 +10728,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9254,80 +10746,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -9336,10 +10833,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9354,11 +10851,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9369,21 +10867,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -9391,51 +10895,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -9445,25 +10949,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -9471,28 +10985,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -9500,20 +11015,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9526,57 +11041,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -9588,42 +11109,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -9676,7 +11204,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9690,67 +11218,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Microsoft + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -9758,28 +11298,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -9793,39 +11333,45 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9839,11 +11385,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -9851,32 +11397,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -9887,7 +11434,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -9903,30 +11450,31 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -9934,88 +11482,95 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -10026,30 +11581,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10059,8 +11616,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10070,33 +11627,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -10109,57 +11666,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10173,41 +11730,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -10215,43 +11774,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10260,9 +11825,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10273,124 +11838,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -10398,104 +11988,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -10503,20 +12111,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10530,74 +12138,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -10607,8 +12217,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10616,26 +12226,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10650,12 +12265,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10669,25 +12284,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10701,23 +12316,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10726,11 +12341,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10740,17 +12355,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -10762,7 +12377,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10770,33 +12386,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -10804,38 +12425,39 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -10843,10 +12465,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10858,7 +12480,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -10872,81 +12494,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -10954,107 +12584,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Microsoft + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + account containing the container with activity logs must be encrypted with + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -11062,101 +12709,105 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -11165,7 +12816,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -11174,25 +12825,25 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -11201,7 +12852,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -11211,71 +12862,72 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -11284,140 +12936,62 @@ interactions: Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS - Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"test_policy6iqdav32l","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:20:01.1577308Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy4zz266ek6","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy4zz266ek6"},{"properties":{"displayName":"test_policybsix632z6","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T03:24:37.437303Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy57hfk7oid","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy57hfk7oid"},{"properties":{"displayName":"test_policy3ulbefgq5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy5rxcsbgyu","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy5rxcsbgyu"},{"properties":{"displayName":"test_policy66vwzao4g","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:12:26.4310804Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy63bzujayf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy63bzujayf"},{"properties":{"displayName":"test_policyvrud2j572","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6rmvrx2ug","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy6rmvrx2ug"},{"properties":{"displayName":"test_policyqr33lcjpy","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:02:21.3055647Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6vduv5kcq","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy6vduv5kcq"},{"properties":{"displayName":"test_policyeezgnn3tf","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy72fpbk6om","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy72fpbk6om"},{"properties":{"displayName":"test_policylzld56g3c","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy75lhjp2qz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy75lhjp2qz"},{"properties":{"displayName":"test_policyac3dg2mjn","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T09:20:41.768722Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7nfzu5aac","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy7nfzu5aac"},{"properties":{"displayName":"test_policy4leaozaze","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyafjaspbln","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyafjaspbln"},{"properties":{"displayName":"test_policytz5xijuco","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","displayName":"Allowed - locations","strongType":"location"}}},"policyRule":{"if":{"not":{"in":"[parameters(''allowedLocations'')]","field":"location"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyaip6dvuui","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyaip6dvuui"},{"properties":{"displayName":"test_policyk2ipvteje","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policycc24wg2ai","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policycc24wg2ai"},{"properties":{"displayName":"test_policytxax3vq3l","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:13:20.7569455Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyeal5hjxel","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyeal5hjxel"},{"properties":{"displayName":"test_policynek2j6dvx","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyebyt2or2s","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyebyt2or2s"},{"properties":{"displayName":"test_policyo57mbgttt","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf4gvztvgz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyf4gvztvgz"},{"properties":{"displayName":"test_policyry7ktdqpn","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfneqctrjx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyfneqctrjx"},{"properties":{"displayName":"test_policyhproaqyb2","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T07:55:49.8973296Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfo7wr4vix","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyfo7wr4vix"},{"properties":{"displayName":"test_policyfufe2htyd","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:17:08.3329915Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyftxdxfati","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyftxdxfati"},{"properties":{"displayName":"test_policypq5w4fcp5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhavmopeay","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyhavmopeay"},{"properties":{"displayName":"test_policyzhxn622hb","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhb6kmyq63","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyhb6kmyq63"},{"properties":{"displayName":"test_policyzbi2xb6y7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyismcbfzwf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyismcbfzwf"},{"properties":{"displayName":"test_policyyulsilxiw","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjp2hqpyxg","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyjp2hqpyxg"},{"properties":{"displayName":"test_policy3b7x23vtu","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:09:59.3205891Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyk7i5cvli7","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyk7i5cvli7"},{"properties":{"displayName":"test_policykr5rg52qb","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-20T07:02:32.8430887Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyko7fuaryl","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyko7fuaryl"},{"properties":{"displayName":"test_policym7v6bzkep","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyl5e3igsku","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyl5e3igsku"},{"properties":{"displayName":"test_policyr5ivz4uoy","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policylw4dif6k4","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policylw4dif6k4"},{"properties":{"displayName":"test_policytbp7jr4ui","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:32:31.9256236Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyma7xpif5f","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyma7xpif5f"},{"properties":{"displayName":"test_policyltbuxqxmj","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:01:18.5679417Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymhawrsfdj","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policymhawrsfdj"},{"properties":{"displayName":"test_policyp2yhkolhg","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymxx4vzibo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policymxx4vzibo"},{"properties":{"displayName":"test_policyt252aa3in","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyose3kehj3","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyose3kehj3"},{"properties":{"displayName":"test_policyg5g7wrd63","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqcexugiyb","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyqcexugiyb"},{"properties":{"displayName":"test_policyrhqz2lkr7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:06:49.1738752Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqsscwoy4k","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyqsscwoy4k"},{"properties":{"displayName":"test_policyfn5bvohrv","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-15T07:02:13.594025Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr45j67nyp","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyr45j67nyp"},{"properties":{"displayName":"test_policygciiyb5ye","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:07:22.3409618Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr7fhjcb3r","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyr7fhjcb3r"},{"properties":{"displayName":"test_policy2k3hcktfx","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:18:07.741136Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrnepsjpsa","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrnepsjpsa"},{"properties":{"displayName":"test_policy5u5ook2zf","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrs5zxfokx"},{"properties":{"displayName":"test_policyepxuvmnrs","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrtseayuym","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrtseayuym"},{"properties":{"displayName":"test_policyeglfwi2os","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrzih7n7ws","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrzih7n7ws"},{"properties":{"displayName":"test_policyrjb7ausww","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-26T07:06:57.89264Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysh2ld2fbf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policysh2ld2fbf"},{"properties":{"displayName":"test_policyeop2lxcb7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytaxuus2zo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policytaxuus2zo"},{"properties":{"displayName":"test_policymichd2ukj","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytrkoh7vio","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policytrkoh7vio"},{"properties":{"displayName":"test_policymhqqjyizg","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyunv6j3gfp","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyunv6j3gfp"},{"properties":{"displayName":"test_policyf2qzg3ba4","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","displayName":"Allowed - locations","strongType":"location"}}},"policyRule":{"if":{"not":{"in":"[parameters(''allowedLocations'')]","field":"location"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv3qavzpbx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv3qavzpbx"},{"properties":{"displayName":"test_policy5koxubsg5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv53qgvql6","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv53qgvql6"},{"properties":{"displayName":"test_policycaxoe7agu","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:14:31.5587491Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv6bc2zdey","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv6bc2zdey"},{"properties":{"displayName":"test_policy65zhk56oe","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T09:12:22.7078165Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvmph7iatk","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyvmph7iatk"},{"properties":{"displayName":"test_policy7t2i6ysv7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvpb2ircbl","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyvpb2ircbl"},{"properties":{"displayName":"test_policyc2n4hwvff","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:21:23.3432499Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policywsslcs6dz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policywsslcs6dz"},{"properties":{"displayName":"test_policyn67yt2fld_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-06-11T06:51:10.2516Z","updatedBy":"93a01e49-673a-4e15-8230-51214a737962","updatedOn":"2019-06-11T06:51:13.9885473Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyx5j3fsjzb","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyx5j3fsjzb"},{"properties":{"displayName":"test_policy574uc23jc","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:14:59.7674009Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy7mglfglo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyy7mglfglo"},{"properties":{"displayName":"test_policyif4bjggk7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyuuoin4oc","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyyuuoin4oc"},{"properties":{"displayName":"test_policyvy7eweevk","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-19T07:01:55.8648869Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyzyhzyddss","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyzyhzyddss"},{"properties":{"policyType":"Custom","mode":"Indexed","description":"Deny - cool access tiering for storage","metadata":{"createdBy":"89ed5be8-ff97-41b5-ab11-055e1e3cc34b","createdOn":"2019-03-09T04:29:39.8836867Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"kind","equals":"BlobStorage"},{"not":{"field":"Microsoft.Storage/storageAccounts/accessTier","equals":"cool"}}]},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering","type":"Microsoft.Authorization/policyDefinitions","name":"denyCoolTiering"},{"properties":{"policyType":"Custom","mode":"All","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:58:35.9462109Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-08T05:58:36.2899714Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1d6a287496763bd","type":"Microsoft.Authorization/policyDefinitions","name":"pd1d6a287496763bd"},{"properties":{"policyType":"Custom","mode":"All","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T04:25:20.3616782Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-08T04:25:20.5689022Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1ff115351d7d620","type":"Microsoft.Authorization/policyDefinitions","name":"pd1ff115351d7d620"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:58:36.5087248Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd226f944793a0edd","type":"Microsoft.Authorization/policyDefinitions","name":"pd226f944793a0edd"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T04:25:20.9593945Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd248103959e1b89a","type":"Microsoft.Authorization/policyDefinitions","name":"pd248103959e1b89a"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:53:56.4821495Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn4b00229168b529","type":"Microsoft.Authorization/policyDefinitions","name":"pdn4b00229168b529"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:12:02.5562119Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn7d459478c62e5f","type":"Microsoft.Authorization/policyDefinitions","name":"pdn7d459478c62e5f"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:16:25.1651266Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdndd5095457eae7f","type":"Microsoft.Authorization/policyDefinitions","name":"pdndd5095457eae7f"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:21:56.3757672Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdnfc173081e3e1c6","type":"Microsoft.Authorization/policyDefinitions","name":"pdnfc173081e3e1c6"},{"properties":{"displayName":"pol-defdis-2169","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:43:22.5629692Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-2601","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-2601"},{"properties":{"displayName":"pol-dis-5258","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T09:57:59.3671014Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3066","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-3066"},{"properties":{"displayName":"pol-defdis-1797","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:59:42.1212637Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3604","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-3604"},{"properties":{"displayName":"pol-defdis-8885","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:51:26.6479837Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4703","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-4703"},{"properties":{"displayName":"pol-defdis-5984","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:44:44.5908405Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4803","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-4803"},{"properties":{"displayName":"pol-dis-2866","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T09:59:29.3473453Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-7444","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-7444"},{"properties":{"displayName":"pol-defdis-3052","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:50:49.8743418Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-834","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-834"},{"properties":{"displayName":"pol-dis-6545","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:01:11.8439197Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-07T10:01:13.5984375Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-900","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-900"},{"properties":{"displayName":"pol-defdis-412","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:39:00.9481726Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-9447","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-9447"}]}' + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"Replace + tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"Tag + equals metric definition.","policyType":"Custom","mode":"All","metadata":{"category":"jilim","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2020-01-09T21:37:54.2256089Z","updatedBy":null,"updatedOn":null},"parameters":{"metdef":{"type":"String","metadata":{"displayName":"Metric + Definition","description":null,"strongType":"Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions"}}},"policyRule":{"if":{"field":"tags.foo","equals":"[parameters(''metdef'')]"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/296de002-cb8b-459c-b823-3ccc10e3bc2a","type":"Microsoft.Authorization/policyDefinitions","name":"296de002-cb8b-459c-b823-3ccc10e3bc2a"},{"properties":{"displayName":"rohitbh: + Key vault access policy","policyType":"Custom","mode":"All","description":"definition + description","metadata":{"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:11:44.907552Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:08:39.7776262Z"},"parameters":{"userObjectId":{"type":"String","metadata":{"displayName":"User + Object ID","description":"The GUID for the user which should have access"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"field":"Microsoft.Keyvault/vaults/accessPolicies[*].objectId","notEquals":"[parameters(''userObjectId'')]"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.KeyVault/vaults","name":"current","deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"objectId":{"type":"string"},"keyVaultName":{"type":"string"},"secretsPermissions":{"type":"array","defaultValue":["list"]},"tenantId":{"type":"string"},"location":{"type":"string"},"sku":{"type":"object"},"existingAccessPolicies":{"type":"array","defaultValue":[]}},"variables":{"accessPolicies":[{"tenantId":"[parameters(''tenantId'')]","objectId":"[parameters(''objectId'')]","permissions":{"secrets":"[parameters(''secretsPermissions'')]"}}]},"resources":[{"type":"Microsoft.KeyVault/vaults","name":"[parameters(''keyVaultName'')]","location":"[parameters(''location'')]","apiVersion":"2018-02-14","properties":{"sku":"[parameters(''sku'')]","tenantId":"[parameters(''tenantId'')]","accessPolicies":"[concat(parameters(''existingAccessPolicies''), + variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"Append + System MSI","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-01-24T20:38:43.1098002Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"identity.type","notContains":"SystemAssigned"},{"field":"identity.type","notContains":"UserAssigned"}]},"then":{"effect":"append","details":[{"field":"identity.type","value":"SystemAssigned + "}]}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/696db945-5483-4632-95bc-d76037001b62","type":"Microsoft.Authorization/policyDefinitions","name":"696db945-5483-4632-95bc-d76037001b62"},{"properties":{"displayName":"vnet + peering test","policyType":"Custom","mode":"All","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-03T19:35:56.3137183Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks"}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings","existenceCondition":{"allOf":[{"field":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id","exists":true}]}}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/96bb4fa1-6ce9-4579-8d80-97e024120b63","type":"Microsoft.Authorization/policyDefinitions","name":"96bb4fa1-6ce9-4579-8d80-97e024120b63"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated + Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-02T22:35:27.2634648Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-02T22:35:29.2696603Z"},"policyRule":{"if":{"source":"action","equals":"Microsoft.Resources/Subscriptions/ResourceGroups/write"},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7866","type":"Microsoft.Authorization/policyDefinitions","name":"ps7866"},{"properties":{"displayName":"robga + test modify","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-06T13:52:23.9266854Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-28T17:18:53.3118044Z"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"tags.testModify","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"tags.testModify","value":"addModifyOperation"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","type":"Microsoft.Authorization/policyDefinitions","name":"robgaTestModify"},{"properties":{"displayName":"Audit + tag at MG","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:29.3038974Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.Test","equals":"UnitTest"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","type":"Microsoft.Authorization/policyDefinitions","name":"03ae6c12-b46a-43f1-9f3d-c20620473106"},{"properties":{"displayName":"\"metadata\": + { \"category\": \"testResourcesGrid\" },","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T20:48:36.8149755Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.testResourcesGrid","equals":"testResourcesGrid"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/4bba2e95-2749-431f-95ff-d032a3ae57f6","type":"Microsoft.Authorization/policyDefinitions","name":"4bba2e95-2749-431f-95ff-d032a3ae57f6"},{"properties":{"displayName":"CaleC + - Technical Owner Email Tag on RG","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-13T21:16:37.0623117Z","updatedBy":null,"updatedOn":null},"parameters":{"namePattern":{"type":"String","metadata":{"displayName":"Pattern + matching","description":"Pattern to use for names. Can include wildcard (*)."}},"tagName":{"type":"String","metadata":{"displayName":"tagName","description":"Technical + Owner Email Address"},"defaultValue":"TechnicalOwnerEmail"}},"policyRule":{"if":{"allOf":[{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","like":"[parameters(''namePattern'')]"}},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/54d50b8c-c4c6-4552-9e50-19925aedcf44","type":"Microsoft.Authorization/policyDefinitions","name":"54d50b8c-c4c6-4552-9e50-19925aedcf44"},{"properties":{"displayName":"rohitbh + def","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-28T00:13:27.0393653Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/5b51a7de-acd9-42cd-81bd-32d9c01968e9","type":"Microsoft.Authorization/policyDefinitions","name":"5b51a7de-acd9-42cd-81bd-32d9c01968e9"},{"properties":{"displayName":"jilim + audit subscriptions without security contacts","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-07T20:59:59.7600143Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/Subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Security/securityContacts"}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/67d90168-f067-43df-bd57-bca4b46df3a0","type":"Microsoft.Authorization/policyDefinitions","name":"67d90168-f067-43df-bd57-bca4b46df3a0"},{"properties":{"displayName":"Empty + deployment on each KeyVault resource","policyType":"Custom","mode":"Indexed","description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"category":"SDK Tests","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:12.9974078Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/policyAssignments","name":"notExists","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[],"outputs":{"constantOutput":{"type":"string","value":"someConstantValue"}}}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","type":"Microsoft.Authorization/policyDefinitions","name":"78a38c70-5549-49bd-8a16-fe3619e5d2cf"},{"properties":{"displayName":"CaleC + - Ensure principal is member of role","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-08T01:55:56.4678953Z","updatedBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","updatedOn":"2019-11-13T21:19:54.5769298Z"},"parameters":{"roleDefinitionId":{"type":"String","metadata":{"displayName":"Approved + Role Definition","description":"The role definition id to add the principal + to."}},"principalId":{"type":"String","metadata":{"displayName":"Principal + Id","description":"Principal Id to add to roles"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"name","equals":"[parameters(''roleDefinitionId'')]"}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/roleAssignments","deploymentScope":"subscription","existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Authorization/roleAssignments/principalId","equals":"[parameters(''principalId'')]"},{"field":"Microsoft.Authorization/roleAssignments/roleDefinitionId","equals":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleDefinitionId''))]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"roleId":{"value":"[parameters(''roleDefinitionId'')]"},"principalId":{"value":"[parameters(''principalId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"principalId":{"type":"string"},"roleId":{"type":"string"}},"resources":[{"name":"[guid(subscription().id, + parameters(''roleId''), parameters(''principalId''))]","type":"Microsoft.Authorization/roleAssignments","apiVersion":"2019-04-01-preview","properties":{"principalId":"[parameters(''principalId'')]","roleDefinitionId":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleId''))]"}}]}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/906ef7c2-27f9-48f4-b111-1f0aca8697cd","type":"Microsoft.Authorization/policyDefinitions","name":"906ef7c2-27f9-48f4-b111-1f0aca8697cd"},{"properties":{"displayName":"jilim + mg test 2","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:34:15.5651057Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilim + mg test 2","type":"Microsoft.Authorization/policyDefinitions","name":"jilim + mg test 2"},{"properties":{"displayName":"jilim mg test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:00:41.0087033Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilimmgtest","type":"Microsoft.Authorization/policyDefinitions","name":"jilimmgtest"}]}' headers: cache-control: - no-cache content-length: - - '1680865' + - '1789218' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:03:18 GMT + - Thu, 06 Feb 2020 00:14:24 GMT expires: - '-1' pragma: @@ -11446,7 +13020,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11455,41 +13029,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -11497,55 +13077,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11558,11 +13138,11 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -11574,67 +13154,69 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -11646,17 +13228,17 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11667,26 +13249,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -11694,7 +13278,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -11713,44 +13297,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -11759,96 +13349,98 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11858,11 +13450,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11872,55 +13464,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -11929,11 +13526,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11944,22 +13541,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11968,11 +13566,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -11982,12 +13580,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11996,7 +13595,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12005,10 +13605,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -12016,22 +13616,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -12042,44 +13643,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -12087,48 +13690,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -12136,12 +13739,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12153,51 +13756,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -12205,18 +13815,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -12224,20 +13837,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12246,8 +13861,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12256,16 +13871,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12278,28 +13893,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12312,37 +13927,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -12353,22 +13969,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -12376,132 +13993,149 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -12511,25 +14145,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12538,10 +14172,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -12551,18 +14185,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12571,36 +14205,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12609,7 +14245,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12619,71 +14256,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -12693,7 +14331,8 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -12701,107 +14340,132 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -12811,7 +14475,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -12824,21 +14488,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12857,354 +14521,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -13213,9 +14910,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -13228,21 +14925,22 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -13250,7 +14948,7 @@ interactions: Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -13264,84 +14962,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -13350,109 +15051,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -13460,32 +15163,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -13495,17 +15199,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -13517,7 +15221,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -13525,73 +15229,74 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -13604,22 +15309,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -13627,11 +15333,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -13639,12 +15345,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -13652,11 +15358,12 @@ interactions: variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Configure - time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -13707,7 +15414,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13717,15 +15424,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -13733,72 +15441,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -13807,10 +15523,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13820,32 +15536,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -13854,13 +15570,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13872,31 +15589,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -13910,70 +15627,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -13981,13 +15699,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -13995,70 +15713,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -14084,7 +15804,30 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -14105,10 +15848,12 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -14116,46 +15861,49 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -14167,7 +15915,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -14179,7 +15927,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14190,40 +15939,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -14232,91 +15981,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14325,13 +16076,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS Baud Rate","description":"An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14342,73 +16094,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14417,8 +16170,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14428,13 +16181,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -14442,94 +16195,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -14549,7 +16304,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -14567,138 +16342,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -14706,18 +16493,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -14725,9 +16512,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14740,15 +16527,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -14756,18 +16545,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -14775,110 +16565,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14887,7 +16686,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14896,89 +16696,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -15010,7 +16813,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -15029,10 +16853,12 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -15041,13 +16867,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -15058,36 +16884,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -15095,8 +16921,8 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -15104,11 +16930,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -15119,49 +16945,55 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This @@ -15169,103 +17001,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -15279,109 +17127,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -15389,42 +17241,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -15443,111 +17297,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -15555,172 +17412,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -15729,10 +17599,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -15747,80 +17617,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -15829,10 +17704,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -15847,11 +17722,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -15862,21 +17738,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -15884,51 +17766,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -15938,25 +17820,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -15964,28 +17856,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -15993,20 +17886,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -16019,57 +17912,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -16081,42 +17980,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -16169,7 +18075,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -16183,67 +18089,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Microsoft + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -16251,28 +18169,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -16286,39 +18204,45 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -16332,11 +18256,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -16344,32 +18268,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -16380,7 +18305,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -16396,30 +18321,31 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -16427,88 +18353,95 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -16519,30 +18452,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -16552,8 +18487,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -16563,33 +18498,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -16602,57 +18537,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -16666,41 +18601,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -16708,43 +18645,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -16753,9 +18696,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -16766,124 +18709,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -16891,104 +18859,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -16996,20 +18982,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17023,74 +19009,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -17100,8 +19088,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -17109,26 +19097,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17143,12 +19136,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17162,25 +19155,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17194,23 +19187,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -17219,11 +19212,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -17233,17 +19226,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -17255,7 +19248,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -17263,33 +19257,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -17297,38 +19296,39 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -17336,10 +19336,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -17351,7 +19351,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -17365,81 +19365,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -17447,107 +19455,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Microsoft + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + account containing the container with activity logs must be encrypted with + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -17555,101 +19580,105 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -17658,7 +19687,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -17667,25 +19696,25 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -17694,7 +19723,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -17704,71 +19733,72 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -17777,140 +19807,62 @@ interactions: Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS - Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"test_policy6iqdav32l","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:20:01.1577308Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy4zz266ek6","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy4zz266ek6"},{"properties":{"displayName":"test_policybsix632z6","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T03:24:37.437303Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy57hfk7oid","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy57hfk7oid"},{"properties":{"displayName":"test_policy3ulbefgq5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy5rxcsbgyu","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy5rxcsbgyu"},{"properties":{"displayName":"test_policy66vwzao4g","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:12:26.4310804Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy63bzujayf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy63bzujayf"},{"properties":{"displayName":"test_policyvrud2j572","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6rmvrx2ug","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy6rmvrx2ug"},{"properties":{"displayName":"test_policyqr33lcjpy","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:02:21.3055647Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6vduv5kcq","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy6vduv5kcq"},{"properties":{"displayName":"test_policyeezgnn3tf","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy72fpbk6om","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy72fpbk6om"},{"properties":{"displayName":"test_policylzld56g3c","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy75lhjp2qz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy75lhjp2qz"},{"properties":{"displayName":"test_policyac3dg2mjn","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T09:20:41.768722Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7nfzu5aac","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy7nfzu5aac"},{"properties":{"displayName":"test_policy4leaozaze","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyafjaspbln","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyafjaspbln"},{"properties":{"displayName":"test_policytz5xijuco","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","displayName":"Allowed - locations","strongType":"location"}}},"policyRule":{"if":{"not":{"in":"[parameters(''allowedLocations'')]","field":"location"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyaip6dvuui","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyaip6dvuui"},{"properties":{"displayName":"test_policyk2ipvteje","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policycc24wg2ai","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policycc24wg2ai"},{"properties":{"displayName":"test_policytxax3vq3l","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:13:20.7569455Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyeal5hjxel","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyeal5hjxel"},{"properties":{"displayName":"test_policynek2j6dvx","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyebyt2or2s","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyebyt2or2s"},{"properties":{"displayName":"test_policyo57mbgttt","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf4gvztvgz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyf4gvztvgz"},{"properties":{"displayName":"test_policyry7ktdqpn","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfneqctrjx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyfneqctrjx"},{"properties":{"displayName":"test_policyhproaqyb2","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T07:55:49.8973296Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfo7wr4vix","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyfo7wr4vix"},{"properties":{"displayName":"test_policyfufe2htyd","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:17:08.3329915Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyftxdxfati","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyftxdxfati"},{"properties":{"displayName":"test_policypq5w4fcp5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhavmopeay","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyhavmopeay"},{"properties":{"displayName":"test_policyzhxn622hb","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhb6kmyq63","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyhb6kmyq63"},{"properties":{"displayName":"test_policyzbi2xb6y7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyismcbfzwf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyismcbfzwf"},{"properties":{"displayName":"test_policyyulsilxiw","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjp2hqpyxg","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyjp2hqpyxg"},{"properties":{"displayName":"test_policy3b7x23vtu","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:09:59.3205891Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyk7i5cvli7","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyk7i5cvli7"},{"properties":{"displayName":"test_policykr5rg52qb","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-20T07:02:32.8430887Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyko7fuaryl","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyko7fuaryl"},{"properties":{"displayName":"test_policym7v6bzkep","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyl5e3igsku","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyl5e3igsku"},{"properties":{"displayName":"test_policyr5ivz4uoy","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policylw4dif6k4","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policylw4dif6k4"},{"properties":{"displayName":"test_policytbp7jr4ui","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:32:31.9256236Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyma7xpif5f","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyma7xpif5f"},{"properties":{"displayName":"test_policyltbuxqxmj","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:01:18.5679417Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymhawrsfdj","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policymhawrsfdj"},{"properties":{"displayName":"test_policyp2yhkolhg","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymxx4vzibo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policymxx4vzibo"},{"properties":{"displayName":"test_policyt252aa3in","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyose3kehj3","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyose3kehj3"},{"properties":{"displayName":"test_policyg5g7wrd63","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqcexugiyb","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyqcexugiyb"},{"properties":{"displayName":"test_policyrhqz2lkr7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:06:49.1738752Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqsscwoy4k","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyqsscwoy4k"},{"properties":{"displayName":"test_policyfn5bvohrv","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-15T07:02:13.594025Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr45j67nyp","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyr45j67nyp"},{"properties":{"displayName":"test_policygciiyb5ye","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:07:22.3409618Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr7fhjcb3r","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyr7fhjcb3r"},{"properties":{"displayName":"test_policy2k3hcktfx","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:18:07.741136Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrnepsjpsa","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrnepsjpsa"},{"properties":{"displayName":"test_policy5u5ook2zf","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrs5zxfokx"},{"properties":{"displayName":"test_policyepxuvmnrs","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrtseayuym","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrtseayuym"},{"properties":{"displayName":"test_policyeglfwi2os","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrzih7n7ws","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyrzih7n7ws"},{"properties":{"displayName":"test_policyrjb7ausww","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-26T07:06:57.89264Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysh2ld2fbf","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policysh2ld2fbf"},{"properties":{"displayName":"test_policyeop2lxcb7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytaxuus2zo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policytaxuus2zo"},{"properties":{"displayName":"test_policymichd2ukj","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytrkoh7vio","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policytrkoh7vio"},{"properties":{"displayName":"test_policymhqqjyizg","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyunv6j3gfp","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyunv6j3gfp"},{"properties":{"displayName":"test_policyf2qzg3ba4","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","displayName":"Allowed - locations","strongType":"location"}}},"policyRule":{"if":{"not":{"in":"[parameters(''allowedLocations'')]","field":"location"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv3qavzpbx","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv3qavzpbx"},{"properties":{"displayName":"test_policy5koxubsg5","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv53qgvql6","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv53qgvql6"},{"properties":{"displayName":"test_policycaxoe7agu","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T02:14:31.5587491Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv6bc2zdey","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyv6bc2zdey"},{"properties":{"displayName":"test_policy65zhk56oe","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T09:12:22.7078165Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvmph7iatk","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyvmph7iatk"},{"properties":{"displayName":"test_policy7t2i6ysv7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvpb2ircbl","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyvpb2ircbl"},{"properties":{"displayName":"test_policyc2n4hwvff","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-06T10:21:23.3432499Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policywsslcs6dz","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policywsslcs6dz"},{"properties":{"displayName":"test_policyn67yt2fld_new","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-06-11T06:51:10.2516Z","updatedBy":"93a01e49-673a-4e15-8230-51214a737962","updatedOn":"2019-06-11T06:51:13.9885473Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyx5j3fsjzb","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyx5j3fsjzb"},{"properties":{"displayName":"test_policy574uc23jc","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-09T08:14:59.7674009Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy7mglfglo","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyy7mglfglo"},{"properties":{"displayName":"test_policyif4bjggk7","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123_new","metadata":{"category":"test2"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyuuoin4oc","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyyuuoin4oc"},{"properties":{"displayName":"test_policyvy7eweevk","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"category":"test","createdBy":"93a01e49-673a-4e15-8230-51214a737962","createdOn":"2019-02-19T07:01:55.8648869Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"description":"The - list of locations that can be specified when deploying resources","strongType":"location","displayName":"Allowed - locations"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyzyhzyddss","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policyzyhzyddss"},{"properties":{"policyType":"Custom","mode":"Indexed","description":"Deny - cool access tiering for storage","metadata":{"createdBy":"89ed5be8-ff97-41b5-ab11-055e1e3cc34b","createdOn":"2019-03-09T04:29:39.8836867Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"kind","equals":"BlobStorage"},{"not":{"field":"Microsoft.Storage/storageAccounts/accessTier","equals":"cool"}}]},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering","type":"Microsoft.Authorization/policyDefinitions","name":"denyCoolTiering"},{"properties":{"policyType":"Custom","mode":"All","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:58:35.9462109Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-08T05:58:36.2899714Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1d6a287496763bd","type":"Microsoft.Authorization/policyDefinitions","name":"pd1d6a287496763bd"},{"properties":{"policyType":"Custom","mode":"All","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T04:25:20.3616782Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-08T04:25:20.5689022Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1ff115351d7d620","type":"Microsoft.Authorization/policyDefinitions","name":"pd1ff115351d7d620"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:58:36.5087248Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd226f944793a0edd","type":"Microsoft.Authorization/policyDefinitions","name":"pd226f944793a0edd"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T04:25:20.9593945Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd248103959e1b89a","type":"Microsoft.Authorization/policyDefinitions","name":"pd248103959e1b89a"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:53:56.4821495Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn4b00229168b529","type":"Microsoft.Authorization/policyDefinitions","name":"pdn4b00229168b529"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:12:02.5562119Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn7d459478c62e5f","type":"Microsoft.Authorization/policyDefinitions","name":"pdn7d459478c62e5f"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:16:25.1651266Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdndd5095457eae7f","type":"Microsoft.Authorization/policyDefinitions","name":"pdndd5095457eae7f"},{"properties":{"policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:21:56.3757672Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdnfc173081e3e1c6","type":"Microsoft.Authorization/policyDefinitions","name":"pdnfc173081e3e1c6"},{"properties":{"displayName":"pol-defdis-2169","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:43:22.5629692Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-2601","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-2601"},{"properties":{"displayName":"pol-dis-5258","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T09:57:59.3671014Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3066","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-3066"},{"properties":{"displayName":"pol-defdis-1797","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-08T05:59:42.1212637Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3604","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-3604"},{"properties":{"displayName":"pol-defdis-8885","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:51:26.6479837Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4703","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-4703"},{"properties":{"displayName":"pol-defdis-5984","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:44:44.5908405Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4803","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-4803"},{"properties":{"displayName":"pol-dis-2866","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T09:59:29.3473453Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-7444","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-7444"},{"properties":{"displayName":"pol-defdis-3052","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:50:49.8743418Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-834","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-834"},{"properties":{"displayName":"pol-dis-6545","policyType":"Custom","mode":"Indexed","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:01:11.8439197Z","updatedBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","updatedOn":"2019-11-07T10:01:13.5984375Z"},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-900","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-900"},{"properties":{"displayName":"pol-defdis-412","policyType":"Custom","mode":"All","description":"policy - definition description","metadata":{"createdBy":"5b5e6b07-55b8-419b-a446-20fe0aa5b459","createdOn":"2019-11-07T10:39:00.9481726Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-9447","type":"Microsoft.Authorization/policyDefinitions","name":"pol-def-9447"}]}' + Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"Replace + tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"Tag + equals metric definition.","policyType":"Custom","mode":"All","metadata":{"category":"jilim","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2020-01-09T21:37:54.2256089Z","updatedBy":null,"updatedOn":null},"parameters":{"metdef":{"type":"String","metadata":{"displayName":"Metric + Definition","description":null,"strongType":"Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions"}}},"policyRule":{"if":{"field":"tags.foo","equals":"[parameters(''metdef'')]"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/296de002-cb8b-459c-b823-3ccc10e3bc2a","type":"Microsoft.Authorization/policyDefinitions","name":"296de002-cb8b-459c-b823-3ccc10e3bc2a"},{"properties":{"displayName":"rohitbh: + Key vault access policy","policyType":"Custom","mode":"All","description":"definition + description","metadata":{"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:11:44.907552Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:08:39.7776262Z"},"parameters":{"userObjectId":{"type":"String","metadata":{"displayName":"User + Object ID","description":"The GUID for the user which should have access"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"field":"Microsoft.Keyvault/vaults/accessPolicies[*].objectId","notEquals":"[parameters(''userObjectId'')]"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.KeyVault/vaults","name":"current","deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"objectId":{"type":"string"},"keyVaultName":{"type":"string"},"secretsPermissions":{"type":"array","defaultValue":["list"]},"tenantId":{"type":"string"},"location":{"type":"string"},"sku":{"type":"object"},"existingAccessPolicies":{"type":"array","defaultValue":[]}},"variables":{"accessPolicies":[{"tenantId":"[parameters(''tenantId'')]","objectId":"[parameters(''objectId'')]","permissions":{"secrets":"[parameters(''secretsPermissions'')]"}}]},"resources":[{"type":"Microsoft.KeyVault/vaults","name":"[parameters(''keyVaultName'')]","location":"[parameters(''location'')]","apiVersion":"2018-02-14","properties":{"sku":"[parameters(''sku'')]","tenantId":"[parameters(''tenantId'')]","accessPolicies":"[concat(parameters(''existingAccessPolicies''), + variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"Append + System MSI","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-01-24T20:38:43.1098002Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"identity.type","notContains":"SystemAssigned"},{"field":"identity.type","notContains":"UserAssigned"}]},"then":{"effect":"append","details":[{"field":"identity.type","value":"SystemAssigned + "}]}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/696db945-5483-4632-95bc-d76037001b62","type":"Microsoft.Authorization/policyDefinitions","name":"696db945-5483-4632-95bc-d76037001b62"},{"properties":{"displayName":"vnet + peering test","policyType":"Custom","mode":"All","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-03T19:35:56.3137183Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks"}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings","existenceCondition":{"allOf":[{"field":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id","exists":true}]}}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/96bb4fa1-6ce9-4579-8d80-97e024120b63","type":"Microsoft.Authorization/policyDefinitions","name":"96bb4fa1-6ce9-4579-8d80-97e024120b63"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated + Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-02T22:35:27.2634648Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-02T22:35:29.2696603Z"},"policyRule":{"if":{"source":"action","equals":"Microsoft.Resources/Subscriptions/ResourceGroups/write"},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7866","type":"Microsoft.Authorization/policyDefinitions","name":"ps7866"},{"properties":{"displayName":"robga + test modify","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-06T13:52:23.9266854Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-28T17:18:53.3118044Z"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"tags.testModify","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"tags.testModify","value":"addModifyOperation"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","type":"Microsoft.Authorization/policyDefinitions","name":"robgaTestModify"},{"properties":{"displayName":"Audit + tag at MG","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:29.3038974Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.Test","equals":"UnitTest"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","type":"Microsoft.Authorization/policyDefinitions","name":"03ae6c12-b46a-43f1-9f3d-c20620473106"},{"properties":{"displayName":"\"metadata\": + { \"category\": \"testResourcesGrid\" },","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T20:48:36.8149755Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.testResourcesGrid","equals":"testResourcesGrid"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/4bba2e95-2749-431f-95ff-d032a3ae57f6","type":"Microsoft.Authorization/policyDefinitions","name":"4bba2e95-2749-431f-95ff-d032a3ae57f6"},{"properties":{"displayName":"CaleC + - Technical Owner Email Tag on RG","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-13T21:16:37.0623117Z","updatedBy":null,"updatedOn":null},"parameters":{"namePattern":{"type":"String","metadata":{"displayName":"Pattern + matching","description":"Pattern to use for names. Can include wildcard (*)."}},"tagName":{"type":"String","metadata":{"displayName":"tagName","description":"Technical + Owner Email Address"},"defaultValue":"TechnicalOwnerEmail"}},"policyRule":{"if":{"allOf":[{"not":{"field":"[concat(''tags['',parameters(''tagName''), + '']'')]","like":"[parameters(''namePattern'')]"}},{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/54d50b8c-c4c6-4552-9e50-19925aedcf44","type":"Microsoft.Authorization/policyDefinitions","name":"54d50b8c-c4c6-4552-9e50-19925aedcf44"},{"properties":{"displayName":"rohitbh + def","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-28T00:13:27.0393653Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of allowed locations for resources.","strongType":"location"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/5b51a7de-acd9-42cd-81bd-32d9c01968e9","type":"Microsoft.Authorization/policyDefinitions","name":"5b51a7de-acd9-42cd-81bd-32d9c01968e9"},{"properties":{"displayName":"jilim + audit subscriptions without security contacts","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-06-07T20:59:59.7600143Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/Subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Security/securityContacts"}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/67d90168-f067-43df-bd57-bca4b46df3a0","type":"Microsoft.Authorization/policyDefinitions","name":"67d90168-f067-43df-bd57-bca4b46df3a0"},{"properties":{"displayName":"Empty + deployment on each KeyVault resource","policyType":"Custom","mode":"Indexed","description":"Deploys + an empty deployment (with one output) on each KeyVault vault. Used for some + PolicyInsights SDK tests.","metadata":{"category":"SDK Tests","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T17:43:12.9974078Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/policyAssignments","name":"notExists","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[],"outputs":{"constantOutput":{"type":"string","value":"someConstantValue"}}}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/78a38c70-5549-49bd-8a16-fe3619e5d2cf","type":"Microsoft.Authorization/policyDefinitions","name":"78a38c70-5549-49bd-8a16-fe3619e5d2cf"},{"properties":{"displayName":"CaleC + - Ensure principal is member of role","policyType":"Custom","mode":"All","metadata":{"category":"Test","createdBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","createdOn":"2019-11-08T01:55:56.4678953Z","updatedBy":"b8890a11-51b6-457d-99f0-b36fde28fa4f","updatedOn":"2019-11-13T21:19:54.5769298Z"},"parameters":{"roleDefinitionId":{"type":"String","metadata":{"displayName":"Approved + Role Definition","description":"The role definition id to add the principal + to."}},"principalId":{"type":"String","metadata":{"displayName":"Principal + Id","description":"Principal Id to add to roles"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"name","equals":"[parameters(''roleDefinitionId'')]"}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Authorization/roleAssignments","deploymentScope":"subscription","existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Authorization/roleAssignments/principalId","equals":"[parameters(''principalId'')]"},{"field":"Microsoft.Authorization/roleAssignments/roleDefinitionId","equals":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleDefinitionId''))]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"roleId":{"value":"[parameters(''roleDefinitionId'')]"},"principalId":{"value":"[parameters(''principalId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"principalId":{"type":"string"},"roleId":{"type":"string"}},"resources":[{"name":"[guid(subscription().id, + parameters(''roleId''), parameters(''principalId''))]","type":"Microsoft.Authorization/roleAssignments","apiVersion":"2019-04-01-preview","properties":{"principalId":"[parameters(''principalId'')]","roleDefinitionId":"[concat(subscription().id, + ''/providers/Microsoft.Authorization/roleDefinitions/'', parameters(''roleId''))]"}}]}}}}}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/906ef7c2-27f9-48f4-b111-1f0aca8697cd","type":"Microsoft.Authorization/policyDefinitions","name":"906ef7c2-27f9-48f4-b111-1f0aca8697cd"},{"properties":{"displayName":"jilim + mg test 2","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:34:15.5651057Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilim + mg test 2","type":"Microsoft.Authorization/policyDefinitions","name":"jilim + mg test 2"},{"properties":{"displayName":"jilim mg test","policyType":"Custom","mode":"All","metadata":{"createdBy":"69108416-6ac7-4a4f-ac13-fee20ff1ee02","createdOn":"2019-04-01T18:00:41.0087033Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"source":"action","equals":"Microsoft.Compute/virtualMachines/write"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/jilimmgtest","type":"Microsoft.Authorization/policyDefinitions","name":"jilimmgtest"}]}' headers: cache-control: - no-cache content-length: - - '1680865' + - '1789218' content-type: - application/json; charset=utf-8 date: - - Tue, 10 Dec 2019 11:03:21 GMT + - Thu, 06 Feb 2020 00:14:26 GMT expires: - '-1' pragma: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_grouping.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_grouping.yaml index 392b8107379..21482525d02 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_grouping.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_grouping.yaml @@ -22,14 +22,14 @@ interactions: - -n --rules --params --display-name User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:11.7027808Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:27.3515726Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -40,7 +40,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:11 GMT + - Thu, 06 Feb 2020 00:12:27 GMT expires: - '-1' pragma: @@ -79,14 +79,14 @@ interactions: - -n --definitions --display-name --definition-groups User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:13.8227187Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost + string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:29.2683336Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000004"}' headers: cache-control: @@ -96,7 +96,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:12 GMT + - Thu, 06 Feb 2020 00:12:28 GMT expires: - '-1' pragma: @@ -125,14 +125,14 @@ interactions: - -n --definition-groups User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:13.8227187Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost + string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:29.2683336Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000004"}' headers: cache-control: @@ -142,7 +142,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:14 GMT + - Thu, 06 Feb 2020 00:12:29 GMT expires: - '-1' pragma: @@ -159,8 +159,10 @@ interactions: code: 200 message: OK - request: - body: '{"properties": {"displayName": "test_policyset000005", "policyDefinitions": - [{"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", + body: '{"properties": {"displayName": "test_policyset000005", "metadata": {"createdBy": + "36e2f355-d2e2-4fbc-88ab-4281639dff94", "createdOn": "2020-02-06T00:12:29.2683336Z", + "updatedBy": null, "updatedOn": null}, "policyDefinitions": [{"policyDefinitionId": + "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", "parameters": {"allowedLocations": {"value": ["eastus"]}}, "policyDefinitionReferenceId": "1", "groupNames": ["group1", "group2"]}, {"policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", "parameters": {"allowedLocations": {"value": ["eastus"]}}, "policyDefinitionReferenceId": @@ -176,21 +178,21 @@ interactions: Connection: - keep-alive Content-Length: - - '794' + - '944' Content-Type: - application/json; charset=utf-8 ParameterSetName: - -n --definition-groups User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:13.8227187Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:47:15.1178395Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated + string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:29.2683336Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:12:30.3181927Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000004"}' headers: cache-control: @@ -200,7 +202,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:15 GMT + - Thu, 06 Feb 2020 00:12:30 GMT expires: - '-1' pragma: @@ -214,7 +216,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-subscription-writes: - - '1198' + - '1199' status: code: 200 message: OK @@ -233,14 +235,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:13.8227187Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:47:15.1178395Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated + string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:29.2683336Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:12:30.3181927Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000004"}' headers: cache-control: @@ -250,7 +252,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:15 GMT + - Thu, 06 Feb 2020 00:12:30 GMT expires: - '-1' pragma: @@ -283,14 +285,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:13.8227187Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:47:15.1178395Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated + string: '{"properties":{"displayName":"test_policyset000005","policyType":"Custom","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:29.2683336Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T00:12:30.3181927Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000004","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000004"}' headers: cache-control: @@ -300,7 +302,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:16 GMT + - Thu, 06 Feb 2020 00:12:30 GMT expires: - '-1' pragma: @@ -331,7 +333,7 @@ interactions: - keep-alive User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -342,22 +344,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -367,7 +369,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -377,7 +379,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -385,7 +387,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -401,13 +403,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -417,15 +419,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -437,8 +439,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -536,12 +538,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -566,18 +568,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -590,30 +592,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -670,10 +672,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -699,7 +701,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -709,14 +711,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -729,20 +731,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -758,21 +783,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -828,19 +853,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -849,55 +874,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -1087,7 +1448,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -1099,7 +1460,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -1108,56 +1469,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -1168,16 +1530,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -1188,428 +1550,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -1619,7 +1988,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -1635,35 +2004,26 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"Test - Modify initiative","policyType":"Custom","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:36.3227701Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-29T00:44:27.7479878Z"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"8044870099827093134","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"2352795843478363616","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","parameters":{}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","type":"Microsoft.Authorization/policySetDefinitions","name":"55afae72-7df0-417b-9eb7-f756576c854a"},{"properties":{"displayName":"test_policysetuepmyg","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:32:42.4267049Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7rimd7fmj","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7rimd7fmj","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset3jchrd","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset3jchrd"},{"properties":{"displayName":"test_policysetlsj2ud","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:31:38.9535237Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjokfikrdz","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjokfikrdz","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetebwv2g","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetebwv2g"},{"properties":{"displayName":"test_policysetdh2uwn","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:42:15.7239255Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policypatfxx3pj","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policypatfxx3pj","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetf65lk3","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetf65lk3"},{"properties":{"displayName":"test_policysetmnrkgg","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:19:30.8917085Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysdov2udt3","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysdov2udt3","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetjmlaev","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetjmlaev"},{"properties":{"displayName":"test_policyset4zburu","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:26:01.9876716Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy47rspm7hp","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy47rspm7hp","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetnhnkrw","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetnhnkrw"},{"properties":{"displayName":"test_policysetagnesy","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:43:36.3306361Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:43:37.7016967Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policygpylwrwp5","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policygpylwrwp5","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated - display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetnqjj5n","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetnqjj5n"},{"properties":{"displayName":"test_policysetj4tsbo","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:45:25.134793Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:45:26.926077Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyxv7afgzeg","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyxv7afgzeg","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated - display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysettdfnvq","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysettdfnvq"},{"properties":{"displayName":"test_policyset4xc3n5","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:44:54.171666Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:44:55.6483401Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymsn7m4arn","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymsn7m4arn","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated - display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetthsize","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetthsize"},{"properties":{"displayName":"test_policysetd6tome","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:46:09.3034966Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-06T23:46:10.8618629Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyc2zy35xy6","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyc2zy35xy6","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Updated - display name"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetwdmua4","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetwdmua4"},{"properties":{"displayName":"test_policysetk7pkce","policyType":"Custom","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:10:43.6932587Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"1","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysv65gfxjh","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1","group2"]},{"policyDefinitionReferenceId":"2","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysv65gfxjh","parameters":{"allowedLocations":{"value":["eastus"]}},"groupNames":["group1"]}],"policyDefinitionGroups":[{"name":"group1","displayName":"Cost - Savings"},{"name":"group2","displayName":"Organizational"}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policysetxi3o4a","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policysetxi3o4a"}]}' + Modify initiative","policyType":"Custom","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-29T00:36:36.3227701Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-01-14T22:57:48.6939794Z"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"8044870099827093134","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"2352795843478363616","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","parameters":{}},{"policyDefinitionReferenceId":"5060779722072987833","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","parameters":{}},{"policyDefinitionReferenceId":"10653200271752784328","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","parameters":{"tagName":{"value":"modifyinitiative"},"tagValue":{"value":"true"}}}]},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/55afae72-7df0-417b-9eb7-f756576c854a","type":"Microsoft.Authorization/policySetDefinitions","name":"55afae72-7df0-417b-9eb7-f756576c854a"}]}' headers: cache-control: - no-cache content-length: - - '657275' + - '763680' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:27 GMT + - Thu, 06 Feb 2020 00:12:42 GMT expires: - '-1' pragma: @@ -1696,14 +2056,14 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T23:47:11.7027808Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T00:12:27.3515726Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' headers: @@ -1714,7 +2074,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 23:47:28 GMT + - Thu, 06 Feb 2020 00:12:42 GMT expires: - '-1' pragma: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_management_group.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_management_group.yaml index 253802cead3..f730011c79f 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_management_group.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_policyset_management_group.yaml @@ -16,7 +16,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: POST @@ -32,7 +32,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:51:31 GMT + - Thu, 06 Feb 2020 17:41:59 GMT expires: - '-1' pragma: @@ -65,7 +65,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -81,7 +81,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:51:41 GMT + - Thu, 06 Feb 2020 17:42:10 GMT expires: - '-1' pragma: @@ -117,7 +117,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT @@ -133,7 +133,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:51:45 GMT + - Thu, 06 Feb 2020 17:42:11 GMT expires: - '-1' location: @@ -141,11 +141,11 @@ interactions: pragma: - no-cache request-id: - - 23f75ac9-d6e9-4572-89fb-bfa03d2c9ab2 + - 27274fe4-89d3-42ac-8533-af7d00911aed strict-transport-security: - max-age=31536000; includeSubDomains x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1549 x-content-type-options: - nosniff x-ms-ratelimit-remaining-tenant-writes: @@ -168,12 +168,59 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/providers/Microsoft.Management/operationResults/create/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: body: - string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Succeeded","properties":{"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","displayName":"cli-test-mgmt-group000002","details":{"version":1,"updatedTime":"2019-12-11T01:51:50.4168025Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","parent":{"id":"/providers/Microsoft.Management/managementGroups/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","name":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","displayName":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"}}}}' + string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Running"}' + headers: + cache-control: + - no-cache + content-length: + - '205' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 17:42:21 GMT + expires: + - '-1' + location: + - https://management.azure.com/providers/Microsoft.Management/operationResults/create/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview + pragma: + - no-cache + request-id: + - 05f9e371-6f0e-425b-911c-f180752f169e + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ba-restapi: + - 1.0.3.1549 + x-content-type-options: + - nosniff + status: + code: 202 + message: Accepted +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - account management-group create + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 + method: GET + uri: https://management.azure.com/providers/Microsoft.Management/operationResults/create/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview + response: + body: + string: '{"id":"/providers/Microsoft.Management/managementGroups/cli-test-mgmt-group000002","type":"/providers/Microsoft.Management/managementGroups","name":"cli-test-mgmt-group000002","status":"Succeeded","properties":{"tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"cli-test-mgmt-group000002","details":{"version":1,"updatedTime":"2020-02-06T17:42:14.3891971Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","parent":{"id":"/providers/Microsoft.Management/managementGroups/72f988bf-86f1-41af-91ab-2d7cd011db47","name":"72f988bf-86f1-41af-91ab-2d7cd011db47","displayName":"72f988bf-86f1-41af-91ab-2d7cd011db47"}}}}' headers: cache-control: - no-cache @@ -182,13 +229,13 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:51:57 GMT + - Thu, 06 Feb 2020 17:42:37 GMT expires: - '-1' pragma: - no-cache request-id: - - 3a3df706-326a-4943-ad01-a71e87071c50 + - 79299581-7caf-4851-bd01-8242b08f241e strict-transport-security: - max-age=31536000; includeSubDomains transfer-encoding: @@ -196,7 +243,7 @@ interactions: vary: - Accept-Encoding,Accept-Encoding x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1549 x-content-type-options: - nosniff status: @@ -225,14 +272,14 @@ interactions: - -n --rules --params --display-name --description --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:52:59.4544787Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:41.2022563Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -243,7 +290,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:52:59 GMT + - Thu, 06 Feb 2020 17:53:40 GMT expires: - '-1' pragma: @@ -280,23 +327,23 @@ interactions: - -n --rules --mode --display-name --description --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_data_policy000006","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:00.876359Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000005"}' + string: '{"properties":{"displayName":"test_data_policy000006","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:42.2520557Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000005"}' headers: cache-control: - no-cache content-length: - - '782' + - '783' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:00 GMT + - Thu, 06 Feb 2020 17:53:41 GMT expires: - '-1' pragma: @@ -333,14 +380,14 @@ interactions: - -n --definitions --display-name --description --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -349,7 +396,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:02 GMT + - Thu, 06 Feb 2020 17:53:44 GMT expires: - '-1' pragma: @@ -378,14 +425,14 @@ interactions: - -n --display-name --description --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008","policyType":"Custom","description":"desc_for_test_policyset_123","metadata":{"category":"test","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":null,"updatedOn":null},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -394,7 +441,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:02 GMT + - Thu, 06 Feb 2020 17:53:43 GMT expires: - '-1' pragma: @@ -415,9 +462,9 @@ interactions: "desc_for_test_policyset_123_new", "metadata": {"category": "test2"}, "policyDefinitions": [{"policyDefinitionId": "/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003", "parameters": {"allowedLocations": {"value": ["australiaeast", "eastus", "japaneast", - "westus"]}}, "policyDefinitionReferenceId": "3591089841123434059"}, {"policyDefinitionId": + "westus"]}}, "policyDefinitionReferenceId": "13540947075379159090"}, {"policyDefinitionId": "/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005", - "policyDefinitionReferenceId": "11360728187495247027"}]}}' + "policyDefinitionReferenceId": "2541701997075434325"}]}}' headers: Accept: - application/json @@ -435,14 +482,14 @@ interactions: - -n --display-name --description --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:04.3275649Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:53:45.4537831Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -451,7 +498,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:03 GMT + - Thu, 06 Feb 2020 17:53:44 GMT expires: - '-1' pragma: @@ -484,7 +531,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -495,22 +542,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -520,7 +567,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -530,7 +577,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -538,7 +585,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -554,13 +601,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -570,15 +617,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -590,8 +637,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -689,12 +736,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -719,18 +766,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -743,30 +790,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -823,10 +870,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -852,7 +899,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -862,14 +909,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -882,20 +929,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -911,21 +981,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -981,19 +1051,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -1002,55 +1072,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -1240,7 +1646,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -1252,7 +1658,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -1261,56 +1667,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -1321,16 +1728,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -1341,428 +1748,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -1772,7 +2186,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -1788,24 +2202,25 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:04.3275649Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}]}' + that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"},{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:53:45.4537831Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}]}' headers: cache-control: - no-cache content-length: - - '645827' + - '763442' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:04 GMT + - Thu, 06 Feb 2020 17:53:45 GMT expires: - '-1' pragma: @@ -1836,14 +2251,14 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:04.3275649Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:53:45.4537831Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -1852,7 +2267,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:05 GMT + - Thu, 06 Feb 2020 17:53:46 GMT expires: - '-1' pragma: @@ -1885,14 +2300,14 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:02.4802281Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:04.3275649Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"3591089841123434059","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:44.2804109Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:53:45.4537831Z"},"policyDefinitions":[{"policyDefinitionReferenceId":"13540947075379159090","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -1901,7 +2316,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:06 GMT + - Thu, 06 Feb 2020 17:53:46 GMT expires: - '-1' pragma: @@ -1934,7 +2349,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -1945,22 +2360,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -1970,7 +2385,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -1980,7 +2395,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -1988,7 +2403,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -2004,13 +2419,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -2020,15 +2435,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -2040,8 +2455,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -2139,12 +2554,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -2169,18 +2584,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -2193,30 +2608,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -2273,10 +2688,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -2302,7 +2717,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -2312,14 +2727,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -2332,20 +2747,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -2361,21 +2799,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -2431,19 +2869,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -2452,55 +2890,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -2690,7 +3464,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -2702,7 +3476,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -2711,56 +3485,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -2771,16 +3546,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -2791,428 +3566,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -3222,7 +4004,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -3238,12 +4020,13 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"}]}' @@ -3251,11 +4034,11 @@ interactions: cache-control: - no-cache content-length: - - '644617' + - '762232' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:17 GMT + - Thu, 06 Feb 2020 17:53:57 GMT expires: - '-1' pragma: @@ -3296,16 +4079,16 @@ interactions: - -n --definitions --display-name --description --params --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:18.9363095Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:54:00.6572247Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when - deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"2504255928103422979","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"13588911573473112724","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -3314,7 +4097,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:17 GMT + - Thu, 06 Feb 2020 17:54:00 GMT expires: - '-1' pragma: @@ -3343,16 +4126,16 @@ interactions: - -n --params --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:18.9363095Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:54:00.6572247Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when - deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"2504255928103422979","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + deploying resources"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"13588911573473112724","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -3361,7 +4144,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:18 GMT + - Thu, 06 Feb 2020 17:54:00 GMT expires: - '-1' pragma: @@ -3383,9 +4166,9 @@ interactions: {"allowedLocations": {"type": "array", "metadata": {"displayName": "Allowed locations 2"}}}, "policyDefinitions": [{"policyDefinitionId": "/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003", "parameters": {"allowedLocations": {"value": "[parameters(''allowedLocations'')]"}}, - "policyDefinitionReferenceId": "2504255928103422979"}, {"policyDefinitionId": + "policyDefinitionReferenceId": "13588911573473112724"}, {"policyDefinitionId": "/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005", - "policyDefinitionReferenceId": "11360728187495247027"}]}}' + "policyDefinitionReferenceId": "2541701997075434325"}]}}' headers: Accept: - application/json @@ -3403,15 +4186,15 @@ interactions: - -n --params --metadata --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:18.9363095Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:19.9519469Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"2504255928103422979","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:54:00.6572247Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:54:01.8494915Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"13588911573473112724","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -3420,7 +4203,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:19 GMT + - Thu, 06 Feb 2020 17:54:00 GMT expires: - '-1' pragma: @@ -3455,15 +4238,15 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:18.9363095Z","updatedBy":"9ac534f1-d577-4034-a32d-48de400dacbf","updatedOn":"2019-12-11T01:53:19.9519469Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"2504255928103422979","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"11360728187495247027","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' + string: '{"properties":{"displayName":"test_policyset000008_new","policyType":"Custom","description":"desc_for_test_policyset_123_new","metadata":{"category":"test2","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:54:00.6572247Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2020-02-06T17:54:01.8494915Z"},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations 2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"13588911573473112724","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","parameters":{"allowedLocations":{"value":"[parameters(''allowedLocations'')]"}}},{"policyDefinitionReferenceId":"2541701997075434325","policyDefinitionId":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005"}]},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policySetDefinitions/azure-cli-test-policyset000007","type":"Microsoft.Authorization/policySetDefinitions","name":"azure-cli-test-policyset000007"}' headers: cache-control: - no-cache @@ -3472,7 +4255,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:20 GMT + - Thu, 06 Feb 2020 17:54:01 GMT expires: - '-1' pragma: @@ -3505,7 +4288,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -3516,22 +4299,22 @@ interactions: the Administrators group does not contain only the specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''Members'')]"}}},{"policyDefinitionReferenceId":"Audit_AdministratorsGroupMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b","type":"Microsoft.Authorization/policySetDefinitions","name":"06122b01-688c-42a8-af2e-fa97dd39aa3b"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsLogAnalyticsAgentConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979","type":"Microsoft.Authorization/policySetDefinitions","name":"06c5e415-a662-463a-bb85-ede14286b979"},{"properties":{"displayName":"[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/irs1075-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -3541,7 +4324,7 @@ interactions: specified members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -3551,7 +4334,7 @@ interactions: initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please - visit https://aka.ms/cisazure-blueprint.","metadata":{"category":"Regulatory + visit https://aka.ms/cisazure-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List of regions where Network Watcher should be enabled","description":"To see a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["eastus"]},"listOfApprovedVMExtensions":{"type":"Array","metadata":{"displayName":"List @@ -3559,7 +4342,7 @@ interactions: see a complete list of virtual machine extensions, use Get-AzVMExtensionImage"},"defaultValue":["AzureDiskEncryption","AzureDiskEncryptionForLinux","DependencyAgentWindows","DependencyAgentLinux","IaaSAntimalware","IaaSDiagnostics","LinuxDiagnostic","MicrosoftMonitoringAgent","NetworkWatcherAgentLinux","NetworkWatcherAgentWindows","OmsAgentForLinux","VMSnapshot","VMSnapshotLinux"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"CISv110x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x1m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x1x23","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x3CISv110x7x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x5CISv110x7x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x6CISv110x7x1CISv110x7x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x14CISv110x4x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x15CISv110x4x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x18","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","parameters":{}},{"policyDefinitionReferenceId":"CISv110x2x19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x3x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x11","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x13","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x14","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x16","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x4x17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"CISv110x5x1x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"CISv110x6x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"CISv110x7x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"CISv110x7x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","parameters":{"approvedExtensions":{"value":"[parameters(''listOfApprovedVMExtensions'')]"}}},{"policyDefinitionReferenceId":"CISv110x8x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"CISv110x8x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x3mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x4mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x5mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x6mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x7mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x8mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x9mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10m","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","parameters":{}},{"policyDefinitionReferenceId":"CISv110x9x10mm","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d","type":"Microsoft.Authorization/policySetDefinitions","name":"1a5bb27d-173f-493e-9568-eb56638dde4d"},{"properties":{"displayName":"[Preview]: Enable Monitoring in Azure Security Center","policyType":"BuiltIn","description":"Monitor all the available security recommendations in Azure Security Center. This - is the default policy for Azure Security Center.","metadata":{"category":"Security + is the default policy for Azure Security Center.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System updates on virtual machine scale sets should be installed","description":"Enable or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssEndpointProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"Endpoint @@ -3575,13 +4358,13 @@ interactions: or disable endpoint protection monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Disk encryption should be applied on virtual machines","description":"Enable or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - network security groups","description":"[Deprecated] Enable or disable monitoring - of network security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network + network security groups","description":"Enable or disable monitoring of network + security groups with permissive rules","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnSubnetsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network Security Groups on the subnet level should be enabled","description":"Enable - or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Groups for virtual machines should be enabled","description":"Enable - or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","description":"Enable + or disable monitoring of NSGs on subnets"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"networkSecurityGroupsOnVirtualMachinesMonitoringEffect":{"type":"String","metadata":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","description":"Enable + or disable monitoring of NSGs on VMs"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","description":"Enable or disable the monitoring of unprotected web applications"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"type":"String","metadata":{"displayName":"Access through Internet facing endpoint should be restricted","description":"Enable or disable overly permissive inbound NSG rules monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerabilities @@ -3591,15 +4374,15 @@ interactions: Vulnerability Assessment should be enabled on Virtual Machines","description":"Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Audit - missing blob encryption for storage accounts","description":"[Deprecated] - Enable or disable the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time + missing blob encryption for storage accounts","description":"Enable or disable + the monitoring of blob encryption for storage accounts","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"jitNetworkAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"Just-In-Time network access control should be applied on virtual machines","description":"Enable or disable the monitoring of network just In time access"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","description":"Enable - or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unaudited SQL servers in Azure Security Center","description":"Enable - or disable the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Deprecated] - Monitor unencrypted SQL databases in Azure Security Center","description":"Enable + or disable the monitoring of application whitelisting in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unaudited SQL servers in Azure Security Center","description":"Enable or disable + the monitoring of unaudited SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + unencrypted SQL databases in Azure Security Center","description":"Enable or disable the monitoring of unencrypted SQL databases","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"sqlDbEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"Transparent Data Encryption on SQL databases should be enabled","description":"Enable or disable the monitoring of unencrypted SQL databases"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingMonitoringEffect":{"type":"String","metadata":{"displayName":"Auditing @@ -3611,8 +4394,8 @@ interactions: servers should be configured with auditing retention days greater than 90 days","description":"Enable or disable the monitoring of SQL servers with auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInAppServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - diagnostic logs in Azure App Services","description":"[Deprecated] Enable - or disable the monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic + diagnostic logs in Azure App Services","description":"Enable or disable the + monitoring of diagnostics logs in Azure App Services","deprecated":true},"allowedValues":["Audit","Disabled"],"defaultValue":"Disabled"},"diagnosticsLogsInSelectiveAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in App Services should be enabled","description":"Enable or disable the monitoring of diagnostics logs in Azure App Services"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"encryptionOfAutomationAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Automation account variables should be encrypted","description":"Enable or disable the @@ -3710,12 +4493,12 @@ interactions: or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External accounts with read permissions should be removed from your subscription","description":"Enable or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for API App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Function App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - Configure IP restrictions for Web App","description":"[Deprecated] Enable - or disable the monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote + Configure IP restrictions for API App","description":"Enable or disable the + monitoring of IP restrictions for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Function App","description":"Enable or disable + the monitoring of IP restrictions for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppConfigureIPRestrictionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + Configure IP restrictions for Web App","description":"Enable or disable the + monitoring of IP restrictions for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for API App","description":"Enable or disable the monitoring of remote debugging for API App"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"functionAppDisableRemoteDebuggingMonitoringEffect":{"type":"String","metadata":{"displayName":"Remote debugging should be turned off for Function App","description":"Enable or @@ -3740,18 +4523,18 @@ interactions: the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRequireLatestTlsMonitoringEffect":{"type":"String","metadata":{"displayName":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for API App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Function App","description":"[Deprecated] Enable or - disable the monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - disable web sockets for Web App","description":"[Deprecated] Enable or disable - the monitoring of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"[Deprecated] Enable - or disable the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"[Deprecated] - Enable or disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API + disable web sockets for API App","description":"Enable or disable the monitoring + of web sockets for API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Function App","description":"Enable or disable the + monitoring of web sockets for Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppDisableWebSocketsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + disable web sockets for Web App","description":"Enable or disable the monitoring + of web sockets for Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"API + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"API App should only be accessible over HTTPS V2","description":"Enable or disable the monitoring of the use of HTTPS in API App V2"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffectV2":{"type":"String","metadata":{"displayName":"Function App should only be accessible over HTTPS V2","description":"Enable or disable @@ -3764,30 +4547,30 @@ interactions: or disable the monitoring of CORS restrictions for API Function"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS should not allow every resource to access your Web Application","description":"Enable or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"apiAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in API App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Function App","description":"[Deprecated] Enable - or disable the monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - the custom domain use in Web App","description":"[Deprecated] Enable or disable - the monitoring of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in API App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest .Net in Web App","description":"[Deprecated] Enable or disable - the monitoring of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in API App","description":"[Deprecated] Enable or disable - the monitoring of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Java in Web App","description":"[Deprecated] Enable or disable - the monitoring of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Node.js in Web App","description":"[Deprecated] Enable or disable - the monitoring of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in API App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest PHP in Web App","description":"[Deprecated] Enable or disable the - monitoring of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in API App","description":"[Deprecated] Enable or disable - the monitoring of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor - use latest Python in Web App","description":"[Deprecated] Enable or disable - the monitoring of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS + the custom domain use in API App","description":"Enable or disable the monitoring + of custom domain use in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"functionAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Function App","description":"Enable or disable the + monitoring of custom domain use in Function App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedCustomDomainsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + the custom domain use in Web App","description":"Enable or disable the monitoring + of custom domain use in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in API App","description":"Enable or disable the monitoring + of .Net version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestDotNetMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest .Net in Web App","description":"Enable or disable the monitoring + of .Net version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in API App","description":"Enable or disable the monitoring + of Java version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestJavaMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Java in Web App","description":"Enable or disable the monitoring + of Java version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestNodeJsMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Node.js in Web App","description":"Enable or disable the monitoring + of Node.js version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in API App","description":"Enable or disable the monitoring + of PHP version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPHPMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest PHP in Web App","description":"Enable or disable the monitoring + of PHP version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"apiAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in API App","description":"Enable or disable the monitoring + of Python version in API App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"webAppUsedLatestPythonMonitoringEffect":{"type":"String","metadata":{"displayName":"Monitor + use latest Python in Web App","description":"Enable or disable the monitoring + of Python version in Web App","deprecated":true},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"Disabled"},"vnetEnableDDoSProtectionMonitoringEffect":{"type":"String","metadata":{"displayName":"DDoS Protection Standard should be enabled","description":"Enable or disable the monitoring of DDoS protection for virtual network"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"diagnosticsLogsInIoTHubMonitoringEffect":{"type":"String","metadata":{"displayName":"Diagnostic logs in IoT Hub should be enabled","description":"Enable or disable the monitoring @@ -3844,10 +4627,10 @@ interactions: Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against - SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management + SQL injection, database vulnerabilities, and any other anomalous activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToManagementPortsMonitoringEffect":{"type":"String","metadata":{"displayName":"Management ports should be closed on your virtual machines","description":"Enable or disable the monitoring of open management ports on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"restrictAccessToAppServicesMonitoringEffect":{"type":"String","metadata":{"displayName":"Access to App Services should be restricted","description":"Enable or disable the @@ -3873,7 +4656,7 @@ interactions: Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -3883,14 +4666,14 @@ interactions: support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, - please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"category":"Regulatory + please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"DeployPrerequisitesAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"DeployVMExtensionToAuditThatWindowsWebServersAreUsingScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLManagedInstancesWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServersWithoutAdvancedDataSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"AuditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLManagedInstanceAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"AudtiAdvancedThreatProtectionTypesAllInSQLServerAdvancedDataSecuritySettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"TheNsGsRulesForWebApplicationsOnIaaSShouldBeHardened","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"AuditRemoteDebuggingStateForAnAPIApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"AuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"AuditThatWindowsWebServersAreUsingsScureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e","type":"Microsoft.Authorization/policySetDefinitions","name":"3937f550-eedd-4639-9c5e-294358be442e"},{"properties":{"displayName":"[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/SWIFT-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"workspaceIDsLogAnalyticsAgentShouldConnectTo":{"type":"String","metadata":{"displayName":"Connected workspace IDs","description":"A semicolon-separated list of the workspace @@ -3903,20 +4686,43 @@ interactions: Audit VMs with insecure password security settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"},{"policyDefinitionReferenceId":"Deploy_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"policyDefinitionReferenceId":"Deploy_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"policyDefinitionReferenceId":"Deploy_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"},{"policyDefinitionReferenceId":"Deploy_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"policyDefinitionReferenceId":"Deploy_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"},{"policyDefinitionReferenceId":"Audit_MaximumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordAge","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"policyDefinitionReferenceId":"Audit_PasswordMustMeetComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"policyDefinitionReferenceId":"Audit_StorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"policyDefinitionReferenceId":"Audit_EnforcePasswordHistory","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"policyDefinitionReferenceId":"Audit_MinimumPasswordLength","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid110","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid121","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"},{"policyDefinitionReferenceId":"Audit_PasswordPolicy_msid232","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6","type":"Microsoft.Authorization/policySetDefinitions","name":"3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"},{"properties":{"displayName":"[Preview]: + Audit Azure Security Benchmark recommendations and deploy specific supporting + VM Extensions","policyType":"BuiltIn","description":"This initiative includes + audit and VM Extension deployment policies that address a subset of Azure + Security Benchmark recommendations. Additional policies will be added in upcoming + releases. For more information, please visit https://aka.ms/azsecbm.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Regulatory + Compliance"},"parameters":{"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users excluded from Windows VM Administrators group","description":"A semicolon-separated + list of members that should be excluded in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"listOfMembersToIncludeInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that must be included in Windows VM Administrators group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfOnlyMembersInWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List + of users that Windows VM Administrators group must *only* include","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"listOfRegionsWhereNetworkWatcherShouldBeEnabled":{"type":"Array","metadata":{"displayName":"List + of regions where Network Watcher should be enabled","description":"To see + a complete list of regions use Get-AzLocation","strongType":"location"},"defaultValue":["australiacentral","australiacentral2","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus","eastus2","francecentral","francesouth","germanynorth","germanywestcentral","global","japaneast","japanwest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","norwaywest","southafricanorth","southafricawest","southcentralus","southeastasia","southindia","switzerlandnorth","switzerlandwest","uaecentral","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]},"approvedVirtualNetworkForVMs":{"type":"String","metadata":{"displayName":"Virtual + network where VMs should be connected","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name","strongType":"Microsoft.Network/virtualNetworks"}},"approvedNetworkGatewayforVirtualNetworks":{"type":"String","metadata":{"displayName":"Network + gateway that virtual networks should use","description":"Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name","strongType":"Microsoft.Network/virtualNetworkGateways"}},"listOfWorkspaceIDsForLogAnalyticsAgent":{"type":"String","metadata":{"displayName":"List + of workspace IDs where Log Analytics agents should connect","description":"A + semicolon-separated list of the workspace IDs that the Log Analytics agent + should be connected to"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"013e242c-8828-4970-87b3-ab247555486d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","parameters":{}},{"policyDefinitionReferenceId":"048248b0-55cd-46da-b1ff-39efd52db260","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","parameters":{}},{"policyDefinitionReferenceId":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","parameters":{}},{"policyDefinitionReferenceId":"057ef27e-665e-4328-8ea3-04b3122bd9fb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","parameters":{}},{"policyDefinitionReferenceId":"0820b7b9-23aa-4725-a1ce-ae4558f718e5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","parameters":{}},{"policyDefinitionReferenceId":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{}},{"policyDefinitionReferenceId":"09024ccc-0c5f-475e-9457-b7c0d9ed487b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"0961003e-5a0a-4549-abde-af6a37f2724d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","parameters":{}},{"policyDefinitionReferenceId":"0d134df8-db83-46fb-ad72-fe0c9428c8dd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","parameters":{}},{"policyDefinitionReferenceId":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","parameters":{}},{"policyDefinitionReferenceId":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","parameters":{}},{"policyDefinitionReferenceId":"0e60b895-3786-45da-8377-9c6b4b6ac5f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"0ec47710-77ff-4a3d-9181-6aa50af424d0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{}},{"policyDefinitionReferenceId":"144f1397-32f9-4598-8c88-118decc3ccba","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"MembersToExclude":{"value":"[parameters(''listOfMembersToExcludeFromWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"17k78e20-9358-41c9-923c-fb736d382a12","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"1a4e592a-6a6e-44a5-9814-e36264ca96e7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","parameters":{}},{"policyDefinitionReferenceId":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{}},{"policyDefinitionReferenceId":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"1f314764-cb73-4fc9-b863-8eca98ac36e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"22730e10-96f6-4aac-ad84-9383d35b5917","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","parameters":{}},{"policyDefinitionReferenceId":"22bee202-a82f-4305-9a2a-6d7f44d4dedb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"235359c5-7c52-4b82-9055-01c75cf9f60e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","parameters":{}},{"policyDefinitionReferenceId":"26a828e1-e88f-464e-bbb3-c134a282b9de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"2b9ad585-36bc-4615-b300-fd4435808332","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","parameters":{}},{"policyDefinitionReferenceId":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","parameters":{}},{"policyDefinitionReferenceId":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","parameters":{}},{"policyDefinitionReferenceId":"34c877ad-507e-4c82-993e-3452a6e0ad3c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"34f95f76-5386-4de7-b824-0d8478470c9d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{}},{"policyDefinitionReferenceId":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","parameters":{}},{"policyDefinitionReferenceId":"3657f5a0-770e-44a3-b44e-9431ba1e9735","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"36e17963-7202-494a-80c3-f508211c826b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{}},{"policyDefinitionReferenceId":"37e0d2fe-28a5-43d6-a273-67d37d1f5606","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"383856f8-de7f-44a2-81fc-e5135b5c2aa4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","parameters":{}},{"policyDefinitionReferenceId":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","parameters":{}},{"policyDefinitionReferenceId":"3abeb944-26af-43ee-b83d-32aaf060fb94","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","parameters":{}},{"policyDefinitionReferenceId":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"3e596b57-105f-48a6-be97-03e9243bad6e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","parameters":{}},{"policyDefinitionReferenceId":"404c3081-a854-4457-ae30-26a93ef643f9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","parameters":{}},{"policyDefinitionReferenceId":"428256e6-1fac-4f48-a757-df34c2b3336d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","parameters":{}},{"policyDefinitionReferenceId":"475aae12-b88a-4572-8b36-9b712b2b3a17","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","parameters":{}},{"policyDefinitionReferenceId":"47a6b606-51aa-4496-8bb7-64b11cf66adc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"48af4db5-9b8b-401c-8e74-076be876a430","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{}},{"policyDefinitionReferenceId":"4f11b553-d42e-4e3a-89be-32ca364cad4c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","parameters":{}},{"policyDefinitionReferenceId":"501541f7-f7e7-4cd6-868c-4190fdad3ac9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{}},{"policyDefinitionReferenceId":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{}},{"policyDefinitionReferenceId":"5bb220d9-2698-4ee4-8404-b9c30c9df609","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","parameters":{}},{"policyDefinitionReferenceId":"5c028d2a-1889-45f6-b821-31f42711ced8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","parameters":{}},{"policyDefinitionReferenceId":"5c607a2e-c700-4744-8254-d77e7c9eb5e4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","parameters":{}},{"policyDefinitionReferenceId":"617c02be-7f02-4efd-8836-3180d47b6c68","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"68511db2-bd02-41c4-ae6b-1900a012968a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","parameters":{"WorkspaceId":{"value":"[parameters(''listOfWorkspaceIDsForLogAnalyticsAgent'')]"}}},{"policyDefinitionReferenceId":"6b1cbf55-e8b6-442f-ba4c-7246b6381474","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","parameters":{}},{"policyDefinitionReferenceId":"7229bd6a-693d-478a-87f0-1dc1af06f3b8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","parameters":{}},{"policyDefinitionReferenceId":"760a85ff-6162-42b3-8d70-698e268f648c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"7c1b1214-f927-48bf-8882-84f0af6588b1","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","parameters":{}},{"policyDefinitionReferenceId":"7f89b1eb-583c-429a-8828-af049802c1d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"82339799-d096-41ae-8538-b108becf0970","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{}},{"policyDefinitionReferenceId":"83a214f7-d01a-484b-91a9-ed54470c9a6a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","parameters":{}},{"policyDefinitionReferenceId":"86880e5c-df35-43c5-95ad-7e120635775e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","parameters":{}},{"policyDefinitionReferenceId":"86b3d65f-7626-441e-b690-81a8b71cff60","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"86d97760-d216-4d81-a3ad-163087b2b6c3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","parameters":{}},{"policyDefinitionReferenceId":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","parameters":{}},{"policyDefinitionReferenceId":"9297c21d-2ed6-4474-b48f-163f75654ce3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"93507a81-10a4-4af0-9ee2-34cf25a96e98","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"MembersToInclude":{"value":"[parameters(''listOfMembersToIncludeInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"9677b740-f641-4f3c-b9c5-466005c85278","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","parameters":{}},{"policyDefinitionReferenceId":"985285b7-b97a-419c-8d48-c88cc934c8d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{}},{"policyDefinitionReferenceId":"9b597639-28e4-48eb-b506-56b05d366257","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","parameters":{}},{"policyDefinitionReferenceId":"a030a57e-4639-4e8f-ade9-a92f33afe7ee","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","parameters":{}},{"policyDefinitionReferenceId":"a1181c5f-672a-477a-979a-7d58aa086233","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","parameters":{}},{"policyDefinitionReferenceId":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"a4af4a39-4135-47fb-b175-47fbdf85311d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"a70ca396-0a34-413a-88e1-b956c1e683be","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","parameters":{}},{"policyDefinitionReferenceId":"a7aca53f-2ed4-4466-a25e-0b45ade68efd","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"aa633080-8b72-40c4-a2d7-d00c03e80bed","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"aa81768c-cb87-4ce2-bfaa-00baa10d760c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","parameters":{}},{"policyDefinitionReferenceId":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{}},{"policyDefinitionReferenceId":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","parameters":{}},{"policyDefinitionReferenceId":"aeb23562-188d-47cb-80b8-551f16ef9fff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","parameters":{}},{"policyDefinitionReferenceId":"af6cd1bd-1635-48cb-bde7-5b15693900b9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"b0f33259-77d7-4c9e-aac6-3aabcfae693c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"b4330a05-a843-4bc8-bf9a-cacce50c67f4","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{}},{"policyDefinitionReferenceId":"b4d66858-c922-44e3-9566-5cdb7a7be744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","parameters":{}},{"policyDefinitionReferenceId":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","parameters":{}},{"policyDefinitionReferenceId":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","parameters":{"listOfLocations":{"value":"[parameters(''listOfRegionsWhereNetworkWatcherShouldBeEnabled'')]"}}},{"policyDefinitionReferenceId":"b7ddfbdc-1260-477d-91fd-98bd9be789a6","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"b821191b-3a12-44bc-9c38-212138a29ff3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","parameters":{"Members":{"value":"[parameters(''listOfOnlyMembersInWindowsVMAdministratorsGroup'')]"}}},{"policyDefinitionReferenceId":"bd352bd5-2853-4985-bf0d-73806b4a5744","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{}},{"policyDefinitionReferenceId":"bda18df3-5e41-4709-add9-2554ce68c966","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{}},{"policyDefinitionReferenceId":"bde62c94-ccca-4821-a815-92c1d31a76de","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{}},{"policyDefinitionReferenceId":"c43e4a30-77cb-48ab-a4dd-93f175c63b57","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","parameters":{}},{"policyDefinitionReferenceId":"c4857be7-912a-4c75-87e6-e30292bcdf78","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","parameters":{}},{"policyDefinitionReferenceId":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","parameters":{}},{"policyDefinitionReferenceId":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","parameters":{}},{"policyDefinitionReferenceId":"c95c74d9-38fe-4f0d-af86-0c7d626a315c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","parameters":{}},{"policyDefinitionReferenceId":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"cc7cda28-f867-4311-8497-a526129a8d19","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","parameters":{}},{"policyDefinitionReferenceId":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","parameters":{}},{"policyDefinitionReferenceId":"cf820ca0-f99e-4f3e-84fb-66e913812d21","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","parameters":{}},{"policyDefinitionReferenceId":"d158790f-bfb0-486c-8631-2dc6b4e8e6af","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","parameters":{}},{"policyDefinitionReferenceId":"d38fc420-0735-4ef3-ac11-c806f651a570","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{}},{"policyDefinitionReferenceId":"d416745a-506c-48b6-8ab1-83cb814bcaa3","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","parameters":{"virtualNetworkId":{"value":"[parameters(''approvedVirtualNetworkForVMs'')]"}}},{"policyDefinitionReferenceId":"d63edb4a-c612-454d-b47d-191a724fcbf0","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","parameters":{}},{"policyDefinitionReferenceId":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","parameters":{}},{"policyDefinitionReferenceId":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"e3576e28-8b17-4677-84c3-db2990658d64","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"e71308d3-144b-4262-b144-efdc3cc90517","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","parameters":{}},{"policyDefinitionReferenceId":"e756b945-1b1b-480b-8de8-9a0859d5f7ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","parameters":{}},{"policyDefinitionReferenceId":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","parameters":{}},{"policyDefinitionReferenceId":"e8cbc669-f12d-49eb-93e7-9273119e9933","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","parameters":{}},{"policyDefinitionReferenceId":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"ea4d6841-2173-4317-9747-ff522a45120f","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","parameters":{}},{"policyDefinitionReferenceId":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{}},{"policyDefinitionReferenceId":"efbde977-ba53-4479-b8e9-10b957924fbf","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","parameters":{}},{"policyDefinitionReferenceId":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","parameters":{}},{"policyDefinitionReferenceId":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","parameters":{}},{"policyDefinitionReferenceId":"f1776c76-f58c-4245-a8d0-2b207198dc8b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b","parameters":{"virtualNetworkGatewayId":{"value":"[parameters(''approvedNetworkGatewayforVirtualNetworks'')]"}}},{"policyDefinitionReferenceId":"f3b44e5d-1456-475f-9c67-c66c4618e85a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{}},{"policyDefinitionReferenceId":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","parameters":{}},{"policyDefinitionReferenceId":"f8456c1c-aa66-4dfb-861a-25d127b775c9","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","parameters":{}},{"policyDefinitionReferenceId":"f9be5368-9bf5-4b84-9e0a-7850da98bb46","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","parameters":{}},{"policyDefinitionReferenceId":"f9d614c5-c173-4d56-95a7-b4437057d193","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","parameters":{}},{"policyDefinitionReferenceId":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"feedbf84-6b99-488c-acc2-71c829aa5ffc","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92","type":"Microsoft.Authorization/policySetDefinitions","name":"42a694ed-f65e-42b2-aa9e-8052e9740a92"},{"properties":{"displayName":"[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/pciv321-init.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithReadPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{}},{"policyDefinitionReferenceId":"previewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"previewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"accessThroughInternetFacingEndpointShouldBeRestricted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"auditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"auditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"auditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"auditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"auditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41","type":"Microsoft.Authorization/policySetDefinitions","name":"496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"},{"properties":{"displayName":"[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -3932,21 +4738,21 @@ interactions: the specified one","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","parameters":{"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsRemoteConnection","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90","type":"Microsoft.Authorization/policySetDefinitions","name":"4ddaefff-7c78-4824-9b27-5c344f3cdf90"},{"properties":{"displayName":"Audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -4002,19 +4808,19 @@ interactions: Kiritimati Island"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","parameters":{"TimeZone":{"value":"[parameters(''TimeZone'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTimeZone","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da","type":"Microsoft.Authorization/policySetDefinitions","name":"538942d3-3fae-4fb6-9d94-744f9a51e7da"},{"properties":{"displayName":"[Preview]: Enable Azure Monitor for VMs","policyType":"BuiltIn","description":"Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management - group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + group, Subscription or resource group). Takes Log Analytics workspace as parameter.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VM_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a","type":"Microsoft.Authorization/policySetDefinitions","name":"55f3eceb-5573-4f18-9695-226972c6d74a"},{"properties":{"displayName":"Audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","parameters":{"DomainName":{"value":"[parameters(''DomainName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDomainMembership","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f","type":"Microsoft.Authorization/policySetDefinitions","name":"6b3c1e80-8ae5-405b-b021-c23d13b3959f"},{"properties":{"displayName":"[Preview]: @@ -4023,55 +4829,391 @@ interactions: Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI - this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example + this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":true},"parameters":{"logAnalytics_1":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}},"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyDefinitions":[{"policyDefinitionReferenceId":"LogAnalyticsExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"LogAnalyticsExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","parameters":{"logAnalytics":{"value":"[parameters(''logAnalytics_1'')]"},"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Windows_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"}}},{"policyDefinitionReferenceId":"DependencyAgentExtension_Linux_VMSS_Deploy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","parameters":{"listOfImageIdToInclude":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"LogAnalytics_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}},{"policyDefinitionReferenceId":"DependencyAgent_OSImage_VMSS_Audit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{"listOfImageIdToInclude_windows":{"value":"[parameters(''listOfImageIdToInclude_windows'')]"},"listOfImageIdToInclude_linux":{"value":"[parameters(''listOfImageIdToInclude_linux'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad","type":"Microsoft.Authorization/policySetDefinitions","name":"75714362-cae7-409e-9b99-a8e5075b7fad"},{"properties":{"displayName":"[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/iso27001-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled","strongType":"resourceTypes"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditExternalAccountsWithWritePermissionsOnASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditHttpsOnlyAccessForAnApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMaximumNumberOfOwnersForASubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditMinimumNumberOfOwnersForSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"AuditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypesWithDiagnosticLogsEnabled'')]"}}},{"policyDefinitionReferenceId":"AuditEnablementOfEncryptionOfAutomationAccountVariables","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","parameters":{}},{"policyDefinitionReferenceId":"AuditEnablingOfOnlySecureConnectionsToYourRedisCache","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"AuditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"AuditSQLServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","parameters":{}},{"policyDefinitionReferenceId":"AuditTransparentDataEncryptionStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"AuditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"AuditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","parameters":{}},{"policyDefinitionReferenceId":"AuditUseOfClassicVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","parameters":{}},{"policyDefinitionReferenceId":"AuditVMsThatDoNotUseManagedDisks","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2","type":"Microsoft.Authorization/policySetDefinitions","name":"89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"},{"properties":{"displayName":"Audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"Audit + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsTLS","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c","type":"Microsoft.Authorization/policySetDefinitions","name":"8bc55e6b-e9d5-4266-8dac-f688d151ec9c"},{"properties":{"displayName":"[Preview]: + DoD Impact Level 4","policyType":"BuiltIn","description":"Assigns policies + to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed + locations for resources and resource groups","description":"This policy enables + you to restrict the locations your organization can specify when creating + resource groups or deploying resources. Use to enforce your geo-compliance + requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + to be included in the Administrators local group","description":"A semicolon-separated + list of members that should be included in the Administrators local group. + Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members + that should be excluded in the Administrators local group","description":"A + semicolon-separated list of members that should be excluded in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log + Analytics Workspace Id that VMs should be configured for","description":"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List + of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL managed instances","description":"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability + assessment should be enabled on your SQL servers","description":"Audit Azure + SQL servers which do not have recurring vulnerability assessment scans enabled. + Vulnerability assessment can discover, track, and help you remediate potential + database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability + Assessment should be enabled on Virtual Machines","description":"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + storage should be enabled for Storage Accounts","description":"This policy + audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MariaDB","description":"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL","description":"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web + Application should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function + App should only be accessible over HTTPS","description":"Enable or disable + the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts with owner permissions in + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated + accounts should be removed from your subscription","description":"Enable or + disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS + should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System + updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA + should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term + geo-redundant backup should be enabled for Azure SQL Databases","description":"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133","type":"Microsoft.Authorization/policySetDefinitions","name":"8d792a84-723c-4d92-a3c3-e4ed16a2d133"},{"properties":{"displayName":"Audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and ''Running''. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","parameters":{"ServiceName":{"value":"[parameters(''ServiceName'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsServiceStatus","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f","type":"Microsoft.Authorization/policySetDefinitions","name":"8eeec860-e2fa-4f89-a669-84942c57225f"},{"properties":{"displayName":"[Preview]: + Audit Motion Picture Association of America (MPAA) controls and deploy specific + VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This + initiative includes policies that address a subset of Motion Picture Association + of America (MPAA) security and guidelines controls. Additional policies will + be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"certificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints that should exist under the Trusted Root","description":"A + semicolon-separated list of certificate thumbprints that should exist under + the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}},"applicationName":{"type":"String","metadata":{"displayName":"[Preview]: + Application names to be installed on VMs","description":"A semicolon-separated + list of the names of the applications that should be installed. e.g. ''python; + powershell''"}},"storagePrefix":{"type":"String","metadata":{"displayName":"[Preview]: + Storage Account Prefix for Regional Storage Account to deploy diagnostic settings + for Network Security Groups","description":"This prefix will be combined with + the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"[Preview]: + Resource Group Name for Storage Account (must exist) to deploy diagnostic + settings for Network Security Groups","description":"The resource group that + the storage account will be created in. This resource group must already exist.","strongType":"ExistingResourceGroups"}},"diskEncryptionMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Disk encryption should be applied on virtual machines","description":"Enable + or disable the monitoring for VM disk encryption"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Monitor unencrypted SQL database in Azure Security Center","description":"Enable + or disable monitoring of unencrypted SQL databases in Azure Security Center"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"[Preview]: + Metric name on which alert rules should be configured in Batch accounts","description":"The + metric name that an alert rule must be enabled on"}},"metricAlertsInBatchAccountPoolDeleteStartEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Metric alert rules should be configured on Batch accounts","description":"Enable + or disable monitoring of metric alert rules on Batch account to enable the + required metric"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Audit unrestricted network access to storage accounts","description":"Enable + or disable the monitoring of network access to storage account"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Logic Apps should be enabled","description":"Enable or + disable the monitoring of diagnostic logs in Logic Apps workflows"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"[Preview]: + Required retention (in days) of diagnostic logs in Logic Apps workflows","description":"The + required diagnostic logs retention period in days"},"defaultValue":"365"},"vmssOsVulnerabilitiesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities in security configuration on your virtual machine scale sets + should be remediated","description":"Enable or disable monitoring of virtual + machine scale sets OS vulnerabilities "},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"vulnerabilityAssessmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities should be remediated by a Vulnerability Assessment solution","description":"Enable + or disable the detection of VM vulnerabilities by a vulnerability assessment + solution"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection."},"defaultValue":"Administrators, + Authenticated Users"},"usersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, + Remote Desktop Users"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access from the network","description":"Specifies + which users or groups are explicitly prohibited from connecting across the + network."},"defaultValue":"Guests"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log."},"defaultValue":"Administrators"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system."},"defaultValue":"Administrators, Backup Operators"},"usersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"usersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"usersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies + which service accounts are explicitly not permitted to register a process + as a service."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network."},"defaultValue":"Administrators"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories."},"defaultValue":"Administrators, Backup Operators"},"usersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"systemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates should be installed on your machines","description":"Enable + or disable reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlServerAuditingRetentionDaysMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + SQL servers should be configured with auditing retention days greater than + 90 days","description":"Enable or disable the monitoring of SQL servers with + auditing retention period less than 90"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"windowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"windowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"windowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"windowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"windowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"windowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"windowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"windowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile."},"defaultValue":"1"},"windowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"windowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"windowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"windowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"windowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with write permissions in your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + All authorization rules except RootManageSharedAccessKey should be removed + from Service Bus namespace","description":"Enable or disable the monitoring + of Service Bus namespace authorization rules"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"kubernetesServiceRbacEnabledMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"Enable + or disable the monitoring of Kubernetes Services without RBAC enabled"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Diagnostic logs in Search services should be enabled","description":"Enable + or disable the monitoring of diagnostic logs in Azure Search service"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"microsoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"disableIPForwardingMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + IP Forwarding on your virtual machine should be disabled","description":"Enable + or disable the monitoring of IP forwarding on virtual machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"threatDetectionTypesOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Advanced Threat Protection types should be set to ''All'' in SQL managed instance + Advanced Data Security settings","description":"It is recommended to enable + all Advanced Threat Protection types on your SQL servers. Enabling all types + protects against SQL injection, database vulnerabilities, and any other anomalous + activities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"certificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path containing the certificates to be checked for expiration","description":"The + path to the certificate store containing the certificates to check the expiration + dates of. Default value is ''Cert:'' which is the root certificate store path, + so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', + ''Cert:\\LocalMachine\\TrustedPublisher'', ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"expirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days for certificates that are expiring under specified + certificate store path","description":"An integer indicating the number of + days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"certificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"certificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude while checking for expired certificates + under specified certificate store path","description":"A semicolon-separated + list of certificate thumbprints to ignore while checking expired certificates. + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"includeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include already expired certificates while checking for expired certificates + under specified certificate store path","description":"Must be ''true'' or + ''false''. True indicates that any found certificates that have already expired + will also make this policy non-compliant. False indicates that certificates + that have expired will be be ignored under specified certificate store path."},"allowedValues":["true","false"],"defaultValue":"false"},"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables."},"defaultValue":"0"},"accountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"networkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP + Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"networkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server."},"defaultValue":"0"},"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerabilities on your SQL databases should be remediated","description":"Enable + or disable the monitoring of Vulnerability Assessment scan results and recommendations + for how to remediate database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"diskEncryptionMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{"effect":{"value":"[parameters(''diskEncryptionMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"certificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{"effect":{"value":"[parameters(''previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect'')]"}}},{"policyDefinitionReferenceId":"previewDeployRequirementsToAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"metricAlertsInBatchAccountPoolDeleteStart","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","parameters":{"effect":{"value":"[parameters(''metricAlertsInBatchAccountPoolDeleteStartEffect'')]"},"metricName":{"value":"[parameters(''MetricName'')]"}}},{"policyDefinitionReferenceId":"deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","parameters":{}},{"policyDefinitionReferenceId":"disableUnrestrictedNetworkToStorageAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{"effect":{"value":"[parameters(''disableUnrestrictedNetworkToStorageAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInLogicAppsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInLogicAppsMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}},{"policyDefinitionReferenceId":"vmssOsVulnerabilitiesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{"effect":{"value":"[parameters(''vmssOsVulnerabilitiesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"deployInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"applicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"previewAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"usersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"usersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"usersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"usersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"usersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"usersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"usersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"usersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"userAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"usersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"usersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"systemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{"effect":{"value":"[parameters(''systemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingForNetworkInterfaces","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","parameters":{}},{"policyDefinitionReferenceId":"sqlServerAuditingRetentionDaysMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","parameters":{"effect":{"value":"[parameters(''sqlServerAuditingRetentionDaysMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineWindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"windowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"windowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"windowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"windowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"windowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"windowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"windowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"windowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"windowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"windowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"windowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"windowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"windowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"windowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"windowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"windowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"windowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"auditCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","parameters":{}},{"policyDefinitionReferenceId":"namespaceAuthorizationRulesInServiceBusMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","parameters":{"effect":{"value":"[parameters(''namespaceAuthorizationRulesInServiceBusMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"kubernetesServiceRbacEnabledMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","parameters":{"effect":{"value":"[parameters(''kubernetesServiceRbacEnabledMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"diagnosticsLogsInSearchServiceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","parameters":{"effect":{"value":"[parameters(''diagnosticsLogsInSearchServiceMonitoringEffect'')]"},"requiredRetentionDays":{"value":"[parameters(''RequiredRetentionDays'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","parameters":{}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"microsoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"microsoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"disableIPForwardingMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","parameters":{"effect":{"value":"[parameters(''disableIPForwardingMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"threatDetectionTypesOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","parameters":{"effect":{"value":"[parameters(''threatDetectionTypesOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"deployCertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"certificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"expirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"certificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"certificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"includeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineUserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","parameters":{}},{"policyDefinitionReferenceId":"deployDiagnosticSettingsforNetworkSecurityGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89","parameters":{"storagePrefix":{"value":"[parameters(''StoragePrefix'')]"},"rgName":{"value":"[parameters(''RgName'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"accountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","parameters":{}},{"policyDefinitionReferenceId":"deployAzureBaselineSecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"networkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"networkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect'')]"}}},{"policyDefinitionReferenceId":"auditAzureBaselineSecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","parameters":{}},{"policyDefinitionReferenceId":"auditInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","parameters":{}},{"policyDefinitionReferenceId":"sqlDbVulnerabilityAssesmentMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{"effect":{"value":"[parameters(''sqlDbVulnerabilityAssesmentMonitoringEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8","type":"Microsoft.Authorization/policySetDefinitions","name":"92646f03-e39d-47a9-9e24-58d60ef49af8"},{"properties":{"displayName":"[Preview]: Enable Data Protection Suite","policyType":"BuiltIn","description":"Enable data protection for SQL servers. This initiative is assigned automatically - by Azure Security Center Standard Tier.","metadata":{"category":"Security + by Azure Security Center Standard Tier.","metadata":{"version":"1.0.0-preview","category":"Security Center"},"parameters":{},"policyDefinitions":[{"policyDefinitionReferenceId":"deployThreatDetectionOnSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","parameters":{}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","type":"Microsoft.Authorization/policySetDefinitions","name":"9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d","parameters":{"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsDefenderExploitGuard","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574","type":"Microsoft.Authorization/policySetDefinitions","name":"9d2fd8e6-95c8-410d-add0-43ada4241574"},{"properties":{"displayName":"Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies - will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"category":"Regulatory + will be added in upcoming releases. https://aka.ms/hipaa-blueprint","metadata":{"version":"1.0.0","category":"Regulatory Compliance"},"parameters":{"installedApplicationsOnWindowsVM":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server @@ -4261,7 +5403,7 @@ interactions: Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more @@ -4273,7 +5415,7 @@ interactions: members","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -4282,56 +5424,57 @@ interactions: number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","parameters":{"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}}},{"policyDefinitionReferenceId":"Audit_CertificateExpiration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae","type":"Microsoft.Authorization/policySetDefinitions","name":"b6f5e05c-0aaa-4337-8dd4-357c399d12ae"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194","parameters":{"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}}},{"policyDefinitionReferenceId":"Audit_MachineLastBootUpTime","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7","type":"Microsoft.Authorization/policySetDefinitions","name":"b8b5b0a8-b809-4e5d-8082-382c686e35b7"},{"properties":{"displayName":"[Preview]: Audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"policyDefinitionReferenceId":"Audit_WindowsDscConfiguration","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd","type":"Microsoft.Authorization/policySetDefinitions","name":"c58599d5-0d51-454f-aaf1-da18a5e76edd"},{"properties":{"displayName":"Audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_InstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e","type":"Microsoft.Authorization/policySetDefinitions","name":"c937dcb4-4398-4b39-8d63-4a6be432252e"},{"properties":{"displayName":"Audit Windows VMs with a pending reboot","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"},{"policyDefinitionReferenceId":"Audit_WindowsPendingReboot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4","type":"Microsoft.Authorization/policySetDefinitions","name":"c96b2a9c-6fab-4ac2-ae21-502143491cd4"},{"properties":{"displayName":"Audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -4342,16 +5485,16 @@ interactions: Root","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","parameters":{"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsCertificateInTrustedRoot","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c","type":"Microsoft.Authorization/policySetDefinitions","name":"cdfcc6ff-945e-4bc6-857e-056cbc511e0c"},{"properties":{"displayName":"[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming - releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"category":"Regulatory + releases. For more information, please visit https://aka.ms/nist80053-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceIdforVMReporting":{"type":"String","metadata":{"displayName":"Log Analytics workspace ID for VM agent reporting"}},"listOfResourceTypesWithDiagnosticLogsEnabled":{"type":"Array","metadata":{"displayName":"List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":{"type":"String","metadata":{"displayName":"List @@ -4362,428 +5505,435 @@ interactions: requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more - information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"category":"Regulatory - Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"Allowed - locations for resources and resource groups","description":"This policy enables - you to restrict the locations your organization can create resource groups - in or deploy resources. Use to enforce your geo-compliance requirements. Excludes - resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources - that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - to be included in the Administrators local group","description":"A semicolon-separated - list of members that should be included in the Administrators local group. - Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"Members - that should be excluded in the Administrators local group","description":"A + information, please visit https://aka.ms/fedramph-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory + Compliance","preview":true},"parameters":{"listOfAllowedLocationsForResourcesAndResourceGroups":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed locations for resources and resource groups","description":"This policy + enables you to restrict the locations your organization can create resource + groups in or deploy resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the ''global'' region.","strongType":"location"}},"membersToIncludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members to be included in the Administrators local group","description":"A + semicolon-separated list of members that should be included in the Administrators + local group. Ex: Administrator; myUser1; myUser2"}},"membersToExcludeInAdministratorsLocalGroup":{"type":"String","metadata":{"displayName":"[Preview]: + Members that should be excluded in the Administrators local group","description":"A semicolon-separated list of members that should be excluded in the Administrators - local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"Log - Analytics Workspace Id that VMs should be configured for","description":"This + local group. Ex: Administrator; myUser1; myUser2"}},"logAnalyticsWorkspaceIdForVMs":{"type":"String","metadata":{"displayName":"[Preview]: + Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured - for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"List - of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL managed instances","description":"Audit + for."}},"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + List of resource types that should have diagnostic logs enabled"},"allowedValues":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"],"defaultValue":["Microsoft.AnalysisServices/servers","Microsoft.ApiManagement/service","Microsoft.Network/applicationGateways","Microsoft.Automation/automationAccounts","Microsoft.ContainerInstance/containerGroups","Microsoft.ContainerRegistry/registries","Microsoft.ContainerService/managedClusters","Microsoft.Batch/batchAccounts","Microsoft.Cdn/profiles/endpoints","Microsoft.CognitiveServices/accounts","Microsoft.DocumentDB/databaseAccounts","Microsoft.DataFactory/factories","Microsoft.DataLakeAnalytics/accounts","Microsoft.DataLakeStore/accounts","Microsoft.EventGrid/eventSubscriptions","Microsoft.EventGrid/topics","Microsoft.EventHub/namespaces","Microsoft.Network/expressRouteCircuits","Microsoft.Network/azureFirewalls","Microsoft.HDInsight/clusters","Microsoft.Devices/IotHubs","Microsoft.KeyVault/vaults","Microsoft.Network/loadBalancers","Microsoft.Logic/integrationAccounts","Microsoft.Logic/workflows","Microsoft.DBforMySQL/servers","Microsoft.Network/networkInterfaces","Microsoft.Network/networkSecurityGroups","Microsoft.DBforPostgreSQL/servers","Microsoft.PowerBIDedicated/capacities","Microsoft.Network/publicIPAddresses","Microsoft.RecoveryServices/vaults","Microsoft.Cache/redis","Microsoft.Relay/namespaces","Microsoft.Search/searchServices","Microsoft.ServiceBus/namespaces","Microsoft.SignalRService/SignalR","Microsoft.Sql/servers/databases","Microsoft.Sql/servers/elasticPools","Microsoft.StreamAnalytics/streamingjobs","Microsoft.TimeSeriesInsights/environments","Microsoft.Network/trafficManagerProfiles","Microsoft.Compute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets","Microsoft.Network/virtualNetworks","Microsoft.Network/virtualNetworkGateways"]},"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL managed instances","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"Vulnerability - assessment should be enabled on your SQL servers","description":"Audit Azure - SQL servers which do not have recurring vulnerability assessment scans enabled. - Vulnerability assessment can discover, track, and help you remediate potential - database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"Vulnerability - Assessment should be enabled on Virtual Machines","description":"Monitors + remediate potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnServerMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability assessment should be enabled on your SQL servers","description":"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vulnerabilityAssessmentOnVirtualMachinesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Vulnerability Assessment should be enabled on Virtual Machines","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - storage should be enabled for Storage Accounts","description":"This policy - audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MariaDB","description":"This + on Virtual Machines"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"geoRedundancyEnabledForStorageAccountsEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant storage should be enabled for Storage Accounts","description":"This + policy audits any Storage Account with geo-redundant storage not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMariaDBEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for MySQL","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"Geo-redundant - backup should be enabled for Azure Database for PostgreSQL","description":"This + enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForMySQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for MySQL","description":"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","description":"Enable - or disable the monitoring of Internet-facing virtual machines for Network - Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Web - Application should only be accessible over HTTPS","description":"Enable or - disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"Function - App should only be accessible over HTTPS","description":"Enable or disable - the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with write permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with read permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"External - accounts with owner permissions should be removed from your subscription","description":"Enable - or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts with owner permissions should be removed from your subscription","description":"Enable + not enabled."},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"adaptiveNetworkHardeningsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Adaptive Network Hardening recommendations should be applied on internet facing + virtual machines","description":"Enable or disable the monitoring of Internet-facing + virtual machines for Network Security Group traffic hardening recommendations"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Web Application should only be accessible over HTTPS","description":"Enable + or disable the monitoring of the use of HTTPS in Web App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"functionAppEnforceHttpsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Function App should only be accessible over HTTPS","description":"Enable or + disable the monitoring of the use of HTTPS in function App"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with write permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with read permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + External accounts with owner permissions should be removed from your subscription","description":"Enable + or disable the monitoring of external acounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts with owner permissions should be removed from your subscription","description":"Enable or disable the monitoring of deprecated acounts with owner permissions in - subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"Deprecated - accounts should be removed from your subscription","description":"Enable or - disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"CORS - should not allow every resource to access your Web Application","description":"Enable - or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"System - updates on virtual machine scale sets should be installed","description":"Enable - or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with read permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled on accounts with owner permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"MFA - should be enabled accounts with write permissions on your subscription","description":"Enable - or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"Long-term - geo-redundant backup should be enabled for Azure SQL Databases","description":"This + subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Deprecated accounts should be removed from your subscription","description":"Enable + or disable the monitoring of deprecated acounts in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"webAppRestrictCORSAccessMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + CORS should not allow every resource to access your Web Application","description":"Enable + or disable the monitoring of CORS restrictions for API Web"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"vmssSystemUpdatesMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + System updates on virtual machine scale sets should be installed","description":"Enable + or disable virtual machine scale sets reporting of system updates"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with read permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with read permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled on accounts with owner permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with owner permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"type":"String","metadata":{"displayName":"[Preview]: + MFA should be enabled accounts with write permissions on your subscription","description":"Enable + or disable the monitoring of MFA for accounts with write permissions in subscription"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect":{"type":"String","metadata":{"displayName":"[Preview]: + Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled."},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyDefinitions":[{"policyDefinitionReferenceId":"previewMonitorUnprotectedWebApplicationInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","parameters":{}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","parameters":{}},{"policyDefinitionReferenceId":"auditVirtualMachinesWithoutDisasterRecoveryConfigured","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","parameters":{}},{"policyDefinitionReferenceId":"auditUsageOfCustomRBACRules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","parameters":{}},{"policyDefinitionReferenceId":"serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","parameters":{}},{"policyDefinitionReferenceId":"auditUnrestrictedNetworkAccessToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","parameters":{}},{"policyDefinitionReferenceId":"transparentDataEncryptionOnSqlDatabasesShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","parameters":{}},{"policyDefinitionReferenceId":"auditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","parameters":{}},{"policyDefinitionReferenceId":"auditSqlServerLevelAuditingSettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","parameters":{}},{"policyDefinitionReferenceId":"advancedDataSecurityShouldBeEnabledOnYourManagedInstances","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","parameters":{}},{"policyDefinitionReferenceId":"auditSecureTransferToStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","parameters":{}},{"policyDefinitionReferenceId":"anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","parameters":{}},{"policyDefinitionReferenceId":"OnlySecureConnectionsToYourRedisCacheShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesShouldBeRemediatedByAVulnerabilityAssessmentSolution","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","parameters":{}},{"policyDefinitionReferenceId":"previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","parameters":{}},{"policyDefinitionReferenceId":"diskEncryptionShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","parameters":{}},{"policyDefinitionReferenceId":"justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","parameters":{}},{"policyDefinitionReferenceId":"adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","parameters":{}},{"policyDefinitionReferenceId":"systemUpdatesShouldBeInstalledOnYourMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","parameters":{}},{"policyDefinitionReferenceId":"monitorMissingEndpointProtectionInAzureSecurityCenter","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmPasswordsMustBeAtLeast14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmEnforcesPasswordComplexityRequirements","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMinimumPasswordAge1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmMaximumPasswordAge70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditWindowsVmShouldNotAllowPrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmPasswdFilePermissions","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","parameters":{}},{"policyDefinitionReferenceId":"previewDeployVmExtensionToAuditLinuxVmAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","parameters":{}},{"policyDefinitionReferenceId":"PreviewDeployVmExtensionToAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","parameters":{}},{"policyDefinitionReferenceId":"endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","parameters":{}},{"policyDefinitionReferenceId":"previewShowAuditResultsFromWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","parameters":{}},{"policyDefinitionReferenceId":"previewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatHaveAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","parameters":{}},{"policyDefinitionReferenceId":"dDoSProtectionStandardShouldBeEnabled","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForApiApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForWebApplication","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","parameters":{}},{"policyDefinitionReferenceId":"remoteDebuggingShouldBeTurnedOffForFunctionApp","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","parameters":{}},{"policyDefinitionReferenceId":"thereShouldBeMoreThanOneOwnerAssignedToYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","parameters":{}},{"policyDefinitionReferenceId":"aMaximumOf3OwnersShouldBeDesignatedForYourSubscription","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","parameters":{}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","parameters":{}},{"policyDefinitionReferenceId":"apiAppShouldOnlyBeAccessibleOverHttps","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","parameters":{}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnManagedInstanceMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnManagedInstanceMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vulnerabilityAssessmentOnServerMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnServerMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"VulnerabilityAssessmentshouldbeenabledonVirtualMachines","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","parameters":{"effect":{"value":"[parameters(''vulnerabilityAssessmentOnVirtualMachinesEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantStorageShouldBeEnabledForStorageAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForStorageAccountsEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMariaDBEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForMySQLEffect'')]"}}},{"policyDefinitionReferenceId":"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","parameters":{"effect":{"value":"[parameters(''geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResourceGroups","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"allowedLocationsForResources","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","parameters":{"listOfAllowedLocations":{"value":"[parameters(''listOfAllowedLocationsForResourcesAndResourceGroups'')]"}}},{"policyDefinitionReferenceId":"deployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","parameters":{"membersToInclude":{"value":"[parameters(''membersToIncludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"DeployRequirementsToAuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","parameters":{"membersToExclude":{"value":"[parameters(''membersToExcludeInAdministratorsLocalGroup'')]"}}},{"policyDefinitionReferenceId":"auditDiagnosticSetting","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","parameters":{"listOfResourceTypes":{"value":"[parameters(''listOfResourceTypes'')]"}}},{"policyDefinitionReferenceId":"adaptiveNetworkHardeningsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","parameters":{"effect":{"value":"[parameters(''adaptiveNetworkHardeningsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"previewAuditLogAnalyticsWorkspaceForVmReportMismatch","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","parameters":{"logAnalyticsWorkspaceId":{"value":"[parameters(''logAnalyticsWorkspaceIdForVMs'')]"}}},{"policyDefinitionReferenceId":"webAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","parameters":{"effect":{"value":"[parameters(''webAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"functionAppEnforceHttpsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","parameters":{"effect":{"value":"[parameters(''functionAppEnforceHttpsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveExternalAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","parameters":{"effect":{"value":"[parameters(''identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityRemoveDeprecatedAccountMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","parameters":{"effect":{"value":"[parameters(''identityRemoveDeprecatedAccountMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"webAppRestrictCORSAccessMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","parameters":{"effect":{"value":"[parameters(''webAppRestrictCORSAccessMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"vmssSystemUpdatesMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","parameters":{"effect":{"value":"[parameters(''vmssSystemUpdatesMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForWritePermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForWritePermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForReadPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForReadPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"identityEnableMFAForOwnerPermissionsMonitoring","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","parameters":{"effect":{"value":"[parameters(''identityEnableMFAForOwnerPermissionsMonitoringEffect'')]"}}},{"policyDefinitionReferenceId":"longtermGeoRedundantBackupEnabledAzureSQLDatabases","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","parameters":{"effect":{"value":"[parameters(''longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect'')]"}}}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f","type":"Microsoft.Authorization/policySetDefinitions","name":"d5264498-16f4-418a-b659-fa7ef418175f"},{"properties":{"displayName":"[Preview]: Audit Windows VMs that do not match Azure security baseline settings","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"},"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"},"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal - Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + before they can access shared resources on the server."},"defaultValue":"0"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + of recovery console environment variables."},"defaultValue":"0"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System - settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"},"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"},"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"},"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"},"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","parameters":{"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","parameters":{"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","parameters":{"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","parameters":{"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","parameters":{"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","parameters":{"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","parameters":{"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","parameters":{"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","parameters":{"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","parameters":{"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}}},{"policyDefinitionReferenceId":"Deploy_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","parameters":{"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}}},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesControlPanel","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesNetwork","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdministrativeTemplatesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAccounts","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsAudit","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsDevices","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsInteractiveLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsNetworkSecurity","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsRecoveryconsole","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsShutdown","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemobjects","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsSystemsettings","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecurityOptionsUserAccountControl","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SecuritySettingsAccountPolicies","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountLogon","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesAccountManagement","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesObjectAccess","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPolicyChange","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_SystemAuditPoliciesSystem","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_UserRightsAssignment","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsComponents","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"},{"policyDefinitionReferenceId":"Audit_AzureBaseline_WindowsFirewallProperties","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa","type":"Microsoft.Authorization/policySetDefinitions","name":"d618d658-b2d0-410e-9e2e-bfbfd04d09fa"},{"properties":{"displayName":"Audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL @@ -4793,7 +5943,7 @@ interactions: audit requirements","policyType":"BuiltIn","description":"This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. - For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"category":"Regulatory + For more information, please visit https://aka.ms/fedrampm-blueprint.","metadata":{"version":"1.0.0-preview","category":"Regulatory Compliance"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured @@ -4809,12 +5959,13 @@ interactions: initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","parameters":{"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}}},{"policyDefinitionReferenceId":"Audit_WindowsPowerShellExecutionPolicy","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720","type":"Microsoft.Authorization/policySetDefinitions","name":"f000289c-47af-4043-87da-91ba9e1a2720"},{"properties":{"displayName":"Audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","description":"This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''python; powershell''"}}},"policyDefinitions":[{"policyDefinitionReferenceId":"Deploy_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","parameters":{"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}}},{"policyDefinitionReferenceId":"Audit_NotInstalledApplicationLinux","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}]},"id":"/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20","type":"Microsoft.Authorization/policySetDefinitions","name":"f48bcc78-5400-4fb0-b913-5140a2e5fa20"}]}' @@ -4822,11 +5973,11 @@ interactions: cache-control: - no-cache content-length: - - '644617' + - '762232' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:31 GMT + - Thu, 06 Feb 2020 17:54:12 GMT expires: - '-1' pragma: @@ -4859,14 +6010,14 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:52:59.4544787Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + string: '{"properties":{"displayName":"test_policy000004","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:41.2022563Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed locations","description":"The list of locations that can be specified when deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000003","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000003"}' headers: @@ -4877,7 +6028,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:31 GMT + - Thu, 06 Feb 2020 17:54:14 GMT expires: - '-1' pragma: @@ -4891,7 +6042,7 @@ interactions: x-content-type-options: - nosniff x-ms-ratelimit-remaining-tenant-deletes: - - '14998' + - '14999' status: code: 200 message: OK @@ -4912,23 +6063,23 @@ interactions: - -n --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE uri: https://management.azure.com/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"test_data_policy000006","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-11T01:53:00.876359Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000005"}' + string: '{"properties":{"displayName":"test_data_policy000006","policyType":"Custom","mode":"Microsoft.DataCatalog.Data","description":"desc_for_test_data_policy_123","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-06T17:53:42.2520557Z","updatedBy":null,"updatedOn":null},"policyRule":{"if":{"field":"Microsoft.DataCatalog.Data/catalog/entity/type","equals":"SomeEntityType"},"then":{"effect":"ModifyClassifications","details":{"classificationsToAdd":["foo"],"classificationsToRemove":["bar"]}}}},"id":"/providers/Microsoft.Management/managementgroups/cli-test-mgmt-group000002/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy000005","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-data-policy000005"}' headers: cache-control: - no-cache content-length: - - '782' + - '783' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:42 GMT + - Thu, 06 Feb 2020 17:54:27 GMT expires: - '-1' pragma: @@ -4961,7 +6112,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -4970,46 +6121,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data - recovery and is easier to enable than other cloud backup services.","metadata":{"category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -5017,55 +6169,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5078,11 +6230,11 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -5094,67 +6246,69 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -5166,17 +6320,17 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5187,26 +6341,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -5214,7 +6370,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -5233,44 +6389,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -5279,96 +6441,98 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5378,10 +6542,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5392,55 +6556,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -5449,7 +6618,7 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' @@ -5464,22 +6633,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5488,7 +6658,7 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -5502,12 +6672,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5516,7 +6687,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5525,10 +6697,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -5536,22 +6708,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -5562,44 +6735,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -5607,48 +6782,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -5656,12 +6831,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5673,51 +6848,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -5725,18 +6907,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -5744,20 +6929,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5766,7 +6953,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5776,16 +6963,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5798,28 +6985,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5832,37 +7019,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -5873,22 +7061,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -5896,74 +7085,88 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This @@ -5971,55 +7174,58 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -6031,25 +7237,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -6058,7 +7264,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', @@ -6071,18 +7277,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6091,36 +7297,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -6129,7 +7337,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6139,71 +7348,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -6213,7 +7423,17 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -6221,107 +7441,123 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -6331,7 +7567,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -6344,21 +7580,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6377,354 +7613,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -6733,9 +8002,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -6748,21 +8017,22 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -6770,7 +8040,7 @@ interactions: Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -6784,84 +8054,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -6870,109 +8143,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -6980,32 +8255,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -7015,17 +8291,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -7037,7 +8313,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -7045,73 +8321,74 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -7124,22 +8401,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -7147,11 +8425,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -7159,12 +8437,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -7175,8 +8453,9 @@ interactions: ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -7237,15 +8516,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -7253,72 +8533,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7327,10 +8615,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7340,32 +8628,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7374,13 +8662,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7392,31 +8681,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -7430,70 +8719,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -7501,13 +8791,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7515,70 +8805,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -7604,7 +8896,30 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -7625,10 +8940,12 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -7636,33 +8953,35 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -7670,12 +8989,13 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7687,7 +9007,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -7699,7 +9019,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -7710,40 +9031,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -7752,91 +9073,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7845,7 +9168,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS @@ -7862,73 +9186,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -7937,7 +9262,7 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -7948,13 +9273,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -7962,94 +9287,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -8069,7 +9396,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -8087,138 +9434,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -8226,18 +9585,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -8245,9 +9604,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8260,15 +9619,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -8276,18 +9637,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -8295,110 +9657,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8407,7 +9778,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -8416,89 +9788,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies - whether local administrators are allowed to create connection security rules - that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies - the behavior for outbound connections for the Private profile that do not - match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules - that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + that apply together with connection security rules configured by Group Policy + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -8530,7 +9905,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -8549,10 +9945,12 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8561,7 +9959,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -8578,36 +9976,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -8615,7 +10013,7 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -8624,7 +10022,7 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -8639,54 +10037,55 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they - reach the web app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This @@ -8694,103 +10093,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -8804,109 +10219,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -8914,42 +10333,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -8968,111 +10389,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -9080,172 +10504,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -9254,7 +10691,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', @@ -9272,80 +10709,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -9354,7 +10796,7 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', @@ -9372,11 +10814,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9387,21 +10830,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -9409,51 +10858,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -9463,25 +10912,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -9489,28 +10948,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -9518,20 +10978,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9544,57 +11004,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -9606,42 +11072,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -9708,72 +11181,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they - reach the API app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -9781,28 +11261,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -9816,44 +11296,45 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before - they reach the Function app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -9867,11 +11348,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -9879,31 +11360,32 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9915,7 +11397,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -9931,30 +11413,31 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -9962,88 +11445,95 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -10054,30 +11544,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10087,7 +11579,7 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10098,33 +11590,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -10137,57 +11629,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10201,41 +11693,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -10243,43 +11737,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10288,7 +11788,7 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -10301,124 +11801,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -10426,104 +11951,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -10531,20 +12074,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10558,74 +12101,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -10635,8 +12180,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10644,26 +12189,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10678,12 +12228,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10697,25 +12247,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -10729,23 +12279,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -10754,7 +12304,7 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server @@ -10768,17 +12318,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -10790,7 +12340,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10798,33 +12349,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -10832,7 +12388,7 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy @@ -10840,30 +12396,31 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -10871,10 +12428,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10886,7 +12443,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -10900,81 +12457,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -10982,115 +12547,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage account containing the container with activity logs must be encrypted with BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at - rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -11098,101 +12672,105 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -11201,7 +12779,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -11210,25 +12788,25 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -11237,7 +12815,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -11247,71 +12825,72 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -11320,13 +12899,14 @@ interactions: Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -11336,11 +12916,11 @@ interactions: cache-control: - no-cache content-length: - - '1681993' + - '1773286' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:54 GMT + - Thu, 06 Feb 2020 17:54:38 GMT expires: - '-1' pragma: @@ -11371,7 +12951,7 @@ interactions: - --management-group User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11380,46 +12960,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data - recovery and is easier to enable than other cloud backup services.","metadata":{"category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -11427,55 +13008,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11488,11 +13069,11 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -11504,67 +13085,69 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -11576,17 +13159,17 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11597,26 +13180,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -11624,7 +13209,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -11643,44 +13228,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -11689,96 +13280,98 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11788,10 +13381,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -11802,55 +13395,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -11859,7 +13457,7 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' @@ -11874,22 +13472,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11898,7 +13497,7 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; @@ -11912,12 +13511,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -11926,7 +13526,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -11935,10 +13536,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -11946,22 +13547,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -11972,44 +13574,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -12017,48 +13621,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -12066,12 +13670,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12083,51 +13687,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -12135,18 +13746,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -12154,20 +13768,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12176,7 +13792,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -12186,16 +13802,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12208,28 +13824,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12242,37 +13858,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -12283,22 +13900,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -12306,74 +13924,88 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This @@ -12381,55 +14013,58 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -12441,25 +14076,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12468,7 +14103,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', @@ -12481,18 +14116,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12501,36 +14136,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -12539,7 +14176,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12549,71 +14187,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -12623,7 +14262,8 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -12631,107 +14271,132 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -12741,7 +14406,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -12754,21 +14419,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -12787,354 +14452,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -13143,9 +14841,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -13158,21 +14856,22 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -13180,7 +14879,7 @@ interactions: Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -13194,84 +14893,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -13280,109 +14982,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -13390,32 +15094,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -13425,17 +15130,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -13447,7 +15152,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -13455,73 +15160,74 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -13534,22 +15240,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -13557,11 +15264,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -13569,12 +15276,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -13585,8 +15292,9 @@ interactions: ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -13647,15 +15355,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -13663,72 +15372,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -13737,10 +15454,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13750,32 +15467,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -13784,13 +15501,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -13802,31 +15520,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -13840,70 +15558,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -13911,13 +15630,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -13925,70 +15644,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -14014,7 +15735,30 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -14035,10 +15779,12 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -14046,33 +15792,35 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -14080,12 +15828,13 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -14097,7 +15846,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -14109,7 +15858,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14120,40 +15870,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -14162,91 +15912,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14255,7 +16007,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS @@ -14272,73 +16025,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14347,7 +16101,7 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -14358,13 +16112,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -14372,94 +16126,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -14479,7 +16235,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -14497,138 +16273,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -14636,18 +16424,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -14655,9 +16443,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14670,15 +16458,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -14686,18 +16476,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -14705,110 +16496,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14817,7 +16617,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14826,89 +16627,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -14940,7 +16744,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -14959,10 +16784,12 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -14971,7 +16798,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version @@ -14988,36 +16815,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -15025,7 +16852,7 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -15034,7 +16861,7 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; @@ -15049,54 +16876,55 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they - reach the web app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This @@ -15104,103 +16932,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -15214,109 +17058,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -15324,42 +17172,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -15378,111 +17228,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -15490,172 +17343,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -15664,7 +17530,7 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', @@ -15682,80 +17548,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -15764,7 +17635,7 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', @@ -15782,11 +17653,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -15797,21 +17669,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -15819,51 +17697,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -15873,25 +17751,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -15899,28 +17787,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -15928,20 +17817,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -15954,57 +17843,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -16016,42 +17911,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -16118,72 +18020,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they - reach the API app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -16191,28 +18100,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -16226,44 +18135,45 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before - they reach the Function app","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -16277,11 +18187,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -16289,31 +18199,32 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -16325,7 +18236,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -16341,30 +18252,31 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -16372,88 +18284,95 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -16464,30 +18383,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -16497,7 +18418,7 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -16508,33 +18429,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -16547,57 +18468,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -16611,41 +18532,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -16653,43 +18576,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -16698,7 +18627,7 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -16711,124 +18640,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -16836,104 +18790,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -16941,20 +18913,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -16968,74 +18940,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -17045,8 +19019,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -17054,26 +19028,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17088,12 +19067,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17107,25 +19086,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -17139,23 +19118,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -17164,7 +19143,7 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server @@ -17178,17 +19157,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -17200,7 +19179,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -17208,33 +19188,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -17242,7 +19227,7 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy @@ -17250,30 +19235,31 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -17281,10 +19267,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -17296,7 +19282,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -17310,81 +19296,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -17392,115 +19386,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage account containing the container with activity logs must be encrypted with BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at - rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -17508,101 +19511,105 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","preview":true},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -17611,7 +19618,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -17620,25 +19627,25 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -17647,7 +19654,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -17657,71 +19664,72 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -17730,13 +19738,14 @@ interactions: Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -17746,11 +19755,11 @@ interactions: cache-control: - no-cache content-length: - - '1681993' + - '1773286' content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:53:57 GMT + - Thu, 06 Feb 2020 17:54:40 GMT expires: - '-1' pragma: @@ -17783,7 +19792,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: POST @@ -17799,7 +19808,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:54:01 GMT + - Thu, 06 Feb 2020 17:54:42 GMT expires: - '-1' pragma: @@ -17832,7 +19841,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17848,7 +19857,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:54:11 GMT + - Thu, 06 Feb 2020 17:54:52 GMT expires: - '-1' pragma: @@ -17881,7 +19890,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: DELETE @@ -17897,7 +19906,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:54:15 GMT + - Thu, 06 Feb 2020 17:54:59 GMT expires: - '-1' location: @@ -17905,11 +19914,11 @@ interactions: pragma: - no-cache request-id: - - e4119d9a-bffb-4530-8c50-260e27f7fa3f + - e61c72e3-17b9-4d28-a712-3a81a6ed67b1 strict-transport-security: - max-age=31536000; includeSubDomains x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1549 x-content-type-options: - nosniff x-ms-ratelimit-remaining-tenant-deletes: @@ -17932,7 +19941,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-managementgroups/0.2.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/providers/Microsoft.Management/operationResults/delete/managementGroups/cli-test-mgmt-group000002?api-version=2018-03-01-preview response: @@ -17946,13 +19955,13 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Wed, 11 Dec 2019 01:54:26 GMT + - Thu, 06 Feb 2020 17:55:09 GMT expires: - '-1' pragma: - no-cache request-id: - - 69530a9a-4a6a-401b-8406-0a514de53da0 + - 06100db4-3cb9-4f05-8e33-86abd0651850 strict-transport-security: - max-age=31536000; includeSubDomains transfer-encoding: @@ -17960,7 +19969,7 @@ interactions: vary: - Accept-Encoding,Accept-Encoding x-ba-restapi: - - 1.0.3.1543 + - 1.0.3.1549 x-content-type-options: - nosniff status: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_scenario.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_scenario.yaml index deb85ea75c5..d0ae45637c2 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_scenario.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_scenario.yaml @@ -13,7 +13,7 @@ interactions: ParameterSetName: - --query User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -21,28 +21,16 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resources?$filter=&api-version=2019-07-01 response: body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","name":"azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","name":"azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","name":"azureclitestlinux","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestlinux/extensions/OmsAgentForLinux","name":"azureclitestlinux/OmsAgentForLinux","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","name":"azureclitestwin","type":"Microsoft.Compute/virtualMachines","location":"eastus","identity":{"principalId":"2df74268-9c56-4884-80ef-2f69781eb458","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestwin/extensions/MicrosoftMonitoringAgent","name":"azureclitestwin/MicrosoftMonitoringAgent","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.KeyVault/vaults/azureclitest-vault","name":"azureclitest-vault","type":"Microsoft.KeyVault/vaults","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/bastionHosts/azure-cli-test-bastion","name":"azure-cli-test-bastion","type":"Microsoft.Network/bastionHosts","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestlinux487","name":"azureclitestlinux487","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestwin173","name":"azureclitestwin173","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestlinux-nsg","name":"azureclitestlinux-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestwin-nsg","name":"azureclitestwin-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io","name":"privatelink.azurecr.io","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/publicIPAddresses/azure-cli-test-public-ip","name":"azure-cli-test-public-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/virtualNetworks/azure-cli-test-vnet","name":"azure-cli-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag","name":"azureclitestrgdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag180","name":"azureclitestrgdiag180","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-core-poc/providers/Microsoft.Storage/storageAccounts/azurecorepoc","name":"azurecorepoc","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/AzureSDKTest_ScheduledCleaner","name":"AzureSDKTest_ScheduledCleaner","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/TestLogicApp","name":"TestLogicApp","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/arm","name":"arm","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azureautomation","name":"azureautomation","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azuremonitorlogs","name":"azuremonitorlogs","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv5","name":"bim-kv5","type":"Microsoft.KeyVault/vaults","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv8","name":"bim-kv8","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/networkInterfaces/bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","name":"bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net","name":"privatelink.vaultcore.azure.net","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/s6s556pxon6mw","name":"privatelink.vaultcore.azure.net/s6s556pxon6mw","type":"Microsoft.Network/privateDnsZones/virtualNetworkLinks","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateEndpoints/bim-pe","name":"bim-pe","type":"Microsoft.Network/privateEndpoints","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet","name":"bim-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet1","name":"bim-vnet1","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01","name":"cli-acc-lefr-01","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01/volumes/cli-volume-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01/cli-volume-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-01","name":"cli-vnet-lefr-01","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb","name":"cli-acc-4g47wcbjhikbiryb","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb/capacityPools/cli-pool-rarzmnkwtqzglj4","name":"cli-acc-4g47wcbjhikbiryb/cli-pool-rarzmnkwtqzglj4","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb/capacityPools/cli-pool-rarzmnkwtqzglj4/volumes/cli-vol-h6zuyg4c5hvxntjx","name":"cli-acc-4g47wcbjhikbiryb/cli-pool-rarzmnkwtqzglj4/cli-vol-h6zuyg4c5hvxntjx","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-02-nic-20NA0U","name":"anf-cli-vnet-lefr-02-nic-20NA0U","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt","name":"cli-acc-s3ddxv7rcas6tlqt","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal/snapshots/cli-sn-xuosclazscz7mdnfm","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal/cli-sn-xuosclazscz7mdnfm","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-02-nic-D0E288","name":"anf-cli-vnet-lefr-02-nic-D0E288","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5","name":"cli-acc-ntb2ma3l4cks2oe5","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j/volumes/cli-vol-gpl6m25se32t2drr","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j/cli-vol-gpl6m25se32t2drr","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs","name":"cli-acc-w5jx6si6ji55voxs","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op/volumes/cli-vol-53mm6v7tzhtt5ci2","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op/cli-vol-53mm6v7tzhtt5ci2","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","name":"anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/virtualNetworks/cli-vnet-mycjrnigtyehfpg","name":"cli-vnet-mycjrnigtyehfpg","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b","name":"cli-acc-nristrl3sasxf32b","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2/volumes/cli-vol-obj3h4t6irkmsznu","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2/cli-vol-obj3h4t6irkmsznu","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","name":"anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/virtualNetworks/cli-vnet-k2bku3zrpd6otc3","name":"cli-vnet-k2bku3zrpd6otc3","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.NetApp/netAppAccounts/cli-acc-xmmfui5pvv4toht4","name":"cli-acc-xmmfui5pvv4toht4","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.NetApp/netAppAccounts/cli-acc-xmmfui5pvv4toht4/capacityPools/cli-pool-cuaw3bgx4m72b4w","name":"cli-acc-xmmfui5pvv4toht4/cli-pool-cuaw3bgx4m72b4w","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.Network/virtualNetworks/cli-vnet-p72pwguegdqr24o","name":"cli-vnet-p72pwguegdqr24o","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/publicIPAddresses/gwip1","name":"gwip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westus","tags":{"foo":"boo"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_basichde6z7i6uitoprhnxhc2tcczb53v6lmwmio6622bi5r4mxh63ajmi2pt3o/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_frontend_ip_public5ai45fzxsaynqianqu4p2bxn5hnfyqeucp3lvd3hockxh/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_http_settingsdt4567buy5ceiha6k7t6tlhv3f5bbhdopzvwoytluy3dxkt7h6/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_private_ipwigllraqvruqp5jbpfefwlp7vsnoxsw424ypvgq65n5v3jjl2thxd/providers/Microsoft.Network/virtualNetworks/ag3Vnet","name":"ag3Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/virtualNetworks/gw1Vnet","name":"gw1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/publicIPAddresses/myip1","name":"myip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_rules_with_ipgroupse4upfibqoujmdn4odvtgrbuvqqgdvwd7/providers/Microsoft.Network/ipGroups/destinationipgroup","name":"destinationipgroup","type":"Microsoft.Network/ipGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclinlgstl3ndjbx","name":"eh-nsclinlgstl3ndjbx","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclipqjpqzaomo64","name":"eh-nsclipqjpqzaomo64","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclicrivl23n25yr","name":"eh-nsclicrivl23n25yr","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclig5topw26qop5","name":"eh-nsclig5topw26qop5","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscli475lksshlq57","name":"eh-nscli475lksshlq57","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscliu2aq4ygqmjba","name":"eh-nscliu2aq4ygqmjba","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_keyvault_pev5vwohwc5dirit6qvqyfeegxyzgtbpue3d4a4xukv4utxpa4fi66itm/providers/Microsoft.Network/virtualNetworks/cli-vnet-blvqpkews4d4q7d","name":"cli-vnet-blvqpkews4d4q7d","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_mixed_realitygv2l3elh76a7brm66drgektfyzfsijxog6smmqzg6dnn2r7ofuf6c/providers/Microsoft.MixedReality/spatialAnchorsAccounts/MyAccount","name":"MyAccount","type":"Microsoft.MixedReality/spatialAnchorsAccounts","location":"eastus2euap","identity":{"type":"None"},"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliaqfra2n2au2q","name":"sb-nscliaqfra2n2au2q","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliqhxbpvrow6v6","name":"sb-nscliqhxbpvrow6v6","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nsclirfgvnl4guyma","name":"sb-nsclirfgvnl4guyma","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nscliucbt7pri3etf","name":"sb-nscliucbt7pri3etf","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router4jftwvqg7c4qf5cl3equryyrich6sye6mu3ab27focv2xez3nrvf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router6ah44hkwaiunishzfuakmk5j5tyguwqurycesvryomjcsmjcc3p3/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router73dbgjwlekowfnjih5ovae4bmu67izrdit2jebvknbqfgtvi3fne/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router7cibbvfjttlgg6zw3z5yxqbgc3lzjyfzoowpvfct7grmsrch5xtx/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerdr74a62ccu2ctpd6p56d4jrg6u4nxcmdjb4w445u4llvpmhbq2wi/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routeri2y6ofthh2s7lli2hn6duuoskl7f4zt73faffn6oi6wlioswhbhp/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerrwfem26esani3ontudyvh6glkoyc5xncjnzxg5j6z4mfiphsuh5e/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routert4sl4vlahkzkcf66gopghh6emixxvcxilh5ztirviuxg6lqoyoc4/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routervbaalksbo2ix37kt34tq3p5y7g4ywwh2mr2qqgxwio6ii2xm5qhb/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerw43o33exwyp6rxe6dh6qnw4o2rwsxabnftuzapcb2hvajghh33de/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerwiw43ukelamlqitzkvo2kkirlniy6nhcrydg3qtwapx6koz7hfgf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerxcouawbpkduxdg5xbsn3casuh7q3cvf2unu367kruseazch4w3di/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routery7hke7smvznjb6jyeiiyo6vmcswslr34p2anmj2c3zs25osa4ec7/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/loadBalancers/vmss123LB","name":"vmss123LB","type":"Microsoft.Network/loadBalancers","sku":{"name":"Standard"},"location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/networkSecurityGroups/vmss123NSG","name":"vmss123NSG","type":"Microsoft.Network/networkSecurityGroups","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/publicIPAddresses/vmss123LBPublicIP","name":"vmss123LBPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus2","zones":["2"],"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/virtualNetworks/vmss123VNET","name":"vmss123VNET","type":"Microsoft.Network/virtualNetworks","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg2qgvxjxy46scnjuh6q5gtypebpi5oeuajfgxb7yrrsggnqxrij6pnc3d7ybz2chih/providers/Microsoft.RecoveryServices/vaults/clitest-vaultcriakztggjr","name":"clitest-vaultcriakztggjr","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg35pihforqftkb5qllg3t75zoxlztjwsmuftgdsphbiy2r3adx3t3spnkzzs2c5c4s/providers/Microsoft.RecoveryServices/vaults/clitest-vaultonvx2gbjtjz","name":"clitest-vaultonvx2gbjtjz","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg3s3h2izedr4olwdk4jqjhltn4lkukfixgfalhtfjmiy6u3xndqvdkrr4j4jqhx6hu/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjs23w5bobvn","name":"clitest-vaultjs23w5bobvn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.RecoveryServices/vaults/clitest-vault37l77wc5c65","name":"clitest-vault37l77wc5c65","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.Storage/storageAccounts/clitestu3p7a7ib4n4y7gt4m","name":"clitestu3p7a7ib4n4y7gt4m","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6mxjzuorkskzxoisjj4q7leopfu5mge2nncxfuw33pn7w5rzgt6nqhx3f2koq427p/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqcbszkdhprt","name":"clitest-vaultqcbszkdhprt","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgduxuhyeqzrek7s3jfr776qvugv4qtmrxnlqcwiodxu2wihvqvuajr5bvtbfw2c74d/providers/Microsoft.RecoveryServices/vaults/clitest-vaultvgik7njuazq","name":"clitest-vaultvgik7njuazq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgdzk3w2kpwtbjaippkz6nrab53pinz3nbdcoxurf2fm477d5j2qa43kpmvlh34nudn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultijxt4x4hr4n","name":"clitest-vaultijxt4x4hr4n","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgeklv32akhatp5eikltrbwu3nv7knshqr3ftxpzao7mqusloghl7zsduclggbkqpyg/providers/Microsoft.ContainerRegistry/registries/clireghnxtzih6elkkp7","name":"clireghnxtzih6elkkp7","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Standard","tier":"Standard"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgib3viqdhrawwnaopavpcsc2u3psfod7wlami5tg57borlex2io2b7nolpz4qxhm5p/providers/Microsoft.RecoveryServices/vaults/clitest-vaulte5qqz3zjihv","name":"clitest-vaulte5qqz3zjihv","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgljk7owl4ldwt37zws4grwrer6zjnyeqczgvqzr4vcrrhju7sv5a2sc567rezz2q7b/providers/Microsoft.ContainerRegistry/registries/cliregcn7lqgzmomxrit","name":"cliregcn7lqgzmomxrit","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Premium","tier":"Premium"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgmjjmywipmiqslgzl7tzax3aje4fcv3q5xr2h7hulg63ehpwno2mu7ij7dokxqbh5x/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqofbmffwsre","name":"clitest-vaultqofbmffwsre","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgp535jz2dxemblsqlvzwsk4ehth7eprd5yny22fi5rppnick62nncsonvlutvmvbje/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsqo77eexzn","name":"clitest-vaulttsqo77eexzn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgr5sog7j3q3a5o2vy3r4gpl3ylcovxfcbkttkotqe653iz4mlsrbjns76tv4v4lbqq/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfe6e244jgwn","name":"clitest-vaultfe6e244jgwn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rguk5hr7imq2zbvjzaogkt7gke2onbbn6sr3ux5rfdiqufofpfrmblbmbzrtd663lkn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfiskwqfysgb","name":"clitest-vaultfiskwqfysgb","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgyreu2qkpgqyrm56i4cocrrcf5xb2uzmvlm2lau226cqk6zetyu5olii7figpx2mix/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsindhzqq4y","name":"clitest-vaulttsindhzqq4y","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgzj3xc6lmggzuorcimokxvkq7lrrxtcty3dilmrxzwdjcq35dqahmc7e7snha4milh/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjlixfyp46tq","name":"clitest-vaultjlixfyp46tq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cloud-shell-storage-westus/providers/Microsoft.Storage/storageAccounts/cs40b1f64711bf0x4ddaxaec","name":"cs40b1f64711bf0x4ddaxaec","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cls_test_adls_fileagud65zszgmmhrjitvc3xrvbjqgzo6e2k6hz6q32xaahz3liu6bllegbz/providers/Microsoft.DataLakeStore/accounts/cliadls7i4c6a3r2irkh5ezr","name":"cliadls7i4c6a3r2irkh5ezr","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/CliGtTestVnet6623","name":"CliGtTestVnet6623","type":"Microsoft.ClassicNetwork/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/networkInterfaces/sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","name":"sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/privateLinkServices/sdfsdfsdf","name":"sdfsdfsdf","type":"Microsoft.Network/privateLinkServices","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/virtualNetworks/vnettest","name":"vnettest","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.alertsmanagement/smartDetectorAlertRules/Failure - Anomalies - fengwsinsightsf6615a96b9","name":"Failure Anomalies - fengwsinsightsf6615a96b9","type":"microsoft.alertsmanagement/smartDetectorAlertRules","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/actiongroups/Application - Insights Smart Detection","name":"Application Insights Smart Detection","type":"microsoft.insights/actiongroups","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/components/fengwsinsightsf6615a96b9","name":"fengwsinsightsf6615a96b9","type":"microsoft.insights/components","kind":"web","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.KeyVault/vaults/fengwskeyvault7b56d2ee87","name":"fengwskeyvault7b56d2ee87","type":"Microsoft.KeyVault/vaults","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.MachineLearningServices/workspaces/feng-ws","name":"feng-ws","type":"Microsoft.MachineLearningServices/workspaces","sku":{"name":"Basic","tier":"Basic"},"location":"westus2","identity":{"principalId":"e08a42f0-29de-46db-a246-9e14da9a92eb","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/feng-test-space","name":"feng-test-space","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2","name":"my-test-space-2","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-1","name":"my-test-space-2/my-hub-1","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-2","name":"my-test-space-2/my-hub-2","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-3","name":"my-test-space-3","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengsa","name":"fengsa","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengwsstorage28dfde17cb1","name":"fengwsstorage28dfde17cb1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/diskEncryptionSets/des1","name":"des1","type":"Microsoft.Compute/diskEncryptionSets","location":"centraluseuap","identity":{"principalId":"972fc458-2d2c-4db5-936b-2d7064770777","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/disks/disk1","name":"disk1","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/FYTEST/providers/Microsoft.Compute/disks/vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","name":"vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/snapshots/s1","name":"s1","type":"Microsoft.Compute/snapshots","sku":{"name":"Standard_LRS","tier":"Standard"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","name":"vm","type":"Microsoft.Compute/virtualMachines","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.KeyVault/vaults/vault4848","name":"vault4848","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkInterfaces/vmVMNic","name":"vmVMNic","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkSecurityGroups/vmNSG","name":"vmNSG","type":"Microsoft.Network/networkSecurityGroups","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/publicIPAddresses/vmPublicIP","name":"vmPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/virtualNetworks/vmVNET","name":"vmVNET","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","name":"harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","name":"harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","name":"harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","name":"harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","name":"harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","name":"harold-cm-vm-01","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-01/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","name":"harold-cm-vm-02","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-02/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","name":"harold-cm-vm-03","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-03/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","name":"harold-cm-vm-04","type":"Microsoft.Compute/virtualMachines","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-04/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","name":"harold-cm-vm-05","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-05/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-01235","name":"harold-cm-vm-01235","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0243","name":"harold-cm-vm-0243","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-03344","name":"harold-cm-vm-03344","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0489","name":"harold-cm-vm-0489","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-05892","name":"harold-cm-vm-05892","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-01-nsg","name":"harold-cm-vm-01-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-02-nsg","name":"harold-cm-vm-02-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-03-nsg","name":"harold-cm-vm-03-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-04-nsg","name":"harold-cm-vm-04-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-05-nsg","name":"harold-cm-vm-05-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-01-ip","name":"harold-cm-vm-01-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-02-ip","name":"harold-cm-vm-02-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-03-ip","name":"harold-cm-vm-03-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-04-ip","name":"harold-cm-vm-04-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-05-ip","name":"harold-cm-vm-05-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/harold-test-vnet","name":"harold-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet745","name":"haroldtestvnet745","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet914","name":"haroldtestvnet914","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.OperationalInsights/workspaces/harold-log-analysis","name":"harold-log-analysis","type":"Microsoft.OperationalInsights/workspaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag","name":"haroldtestdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag482","name":"haroldtestdiag482","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag596","name":"haroldtestdiag596","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/javacsmrg46947/providers/Microsoft.EventHub/namespaces/ns1305011933","name":"ns1305011933","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.KeyVault/vaults/jlkv0130","name":"jlkv0130","type":"Microsoft.KeyVault/vaults","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.Storage/storageAccounts/jlcsst","name":"jlcsst","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/JLVM2RG/providers/Microsoft.Compute/disks/jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","name":"jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","name":"jlvm2","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkInterfaces/jlvm2980","name":"jlvm2980","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkSecurityGroups/jlvm2-nsg","name":"jlvm2-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/publicIPAddresses/jlvm2-ip","name":"jlvm2-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/virtualNetworks/jlvm2rg-vnet","name":"jlvm2rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_canadaeast","name":"NetworkWatcher_canadaeast","type":"Microsoft.Network/networkWatchers","location":"canadaeast"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centralus","name":"NetworkWatcher_centralus","type":"Microsoft.Network/networkWatchers","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centraluseuap","name":"NetworkWatcher_centraluseuap","type":"Microsoft.Network/networkWatchers","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastasia","name":"NetworkWatcher_eastasia","type":"Microsoft.Network/networkWatchers","location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2","name":"NetworkWatcher_eastus2","type":"Microsoft.Network/networkWatchers","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southeastasia","name":"NetworkWatcher_southeastasia","type":"Microsoft.Network/networkWatchers","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus","name":"NetworkWatcher_westcentralus","type":"Microsoft.Network/networkWatchers","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus","name":"NetworkWatcher_westus","type":"Microsoft.Network/networkWatchers","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/serverFarms/bookstore-westus2","name":"bookstore-westus2","type":"Microsoft.Web/serverFarms","sku":{"name":"P1v2","tier":"PremiumV2","size":"P1v2","family":"Pv2","capacity":1},"kind":"linux","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/sites/emerald-bookstore","name":"emerald-bookstore","type":"Microsoft.Web/sites","kind":"app,linux","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTESTRG2BDF0168/providers/Microsoft.Compute/disks/PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","name":"PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","name":"PSTestVM2bdf00","type":"Microsoft.Compute/virtualMachines","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkInterfaces/PSTestNIC2bdf00","name":"PSTestNIC2bdf00","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkSecurityGroups/PSTestNSG2bdf00","name":"PSTestNSG2bdf00","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/publicIPAddresses/pstestpublicdns2bdf00","name":"pstestpublicdns2bdf00","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/virtualNetworks/PSTestVNET2bdf00","name":"PSTestVNET2bdf00","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/QIANWENS/providers/Microsoft.Compute/disks/qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","name":"qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","name":"qianwen-ubuntu","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkInterfaces/qianwen-ubuntu473","name":"qianwen-ubuntu473","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkSecurityGroups/qianwen-ubuntu-nsg","name":"qianwen-ubuntu-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/publicIPAddresses/qianwen-ubuntu-ip","name":"qianwen-ubuntu-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/virtualNetworks/qianwens-vnet","name":"qianwens-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Storage/storageAccounts/qianwensdiag","name":"qianwensdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/networkInterfaces/anf-sdk-vnet-nic-VLB5RZ","name":"anf-sdk-vnet-nic-VLB5RZ","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/virtualNetworks/sdk-vnet","name":"sdk-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro1","name":"storagesfrepro1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro10","name":"storagesfrepro10","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro11","name":"storagesfrepro11","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro12","name":"storagesfrepro12","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro13","name":"storagesfrepro13","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro14","name":"storagesfrepro14","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro15","name":"storagesfrepro15","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro16","name":"storagesfrepro16","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro17","name":"storagesfrepro17","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro18","name":"storagesfrepro18","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro19","name":"storagesfrepro19","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro2","name":"storagesfrepro2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro20","name":"storagesfrepro20","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro21","name":"storagesfrepro21","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro22","name":"storagesfrepro22","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro23","name":"storagesfrepro23","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro24","name":"storagesfrepro24","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro25","name":"storagesfrepro25","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro3","name":"storagesfrepro3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro4","name":"storagesfrepro4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro5","name":"storagesfrepro5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro6","name":"storagesfrepro6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro7","name":"storagesfrepro7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro8","name":"storagesfrepro8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro9","name":"storagesfrepro9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xiaojianxu/providers/Microsoft.RecoveryServices/vaults/vault418","name":"vault418","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"RS0","tier":"Standard"},"location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Batch/batchAccounts/yeming","name":"yeming","type":"Microsoft.Batch/batchAccounts","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.DataLakeStore/accounts/yemingdatalake","name":"yemingdatalake","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.KeyVault/vaults/yeming","name":"yeming","type":"Microsoft.KeyVault/vaults","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Storage/storageAccounts/yeming","name":"yeming","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/YU-TEST-RG/providers/Microsoft.Compute/disks/yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","name":"yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","name":"yu-vm-file-sync","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkInterfaces/yu-vm-file-sync535","name":"yu-vm-file-sync535","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkSecurityGroups/yu-vm-file-sync-nsg","name":"yu-vm-file-sync-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/publicIPAddresses/yu-vm-file-sync-ip","name":"yu-vm-file-sync-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/virtualNetworks/yu-test-rg-vnet","name":"yu-test-rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Storage/storageAccounts/yustorageaccountforsync","name":"yustorageaccountforsync","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.StorageSync/storageSyncServices/yu-storage-sync","name":"yu-storage-sync","type":"Microsoft.StorageSync/storageSyncServices","location":"eastus","tags":{"zhoxing_test":"1"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.ApiManagement/service/test-serv","name":"test-serv","type":"Microsoft.ApiManagement/service","sku":{"name":"Developer","capacity":1},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest","name":"zhoxingtest","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest2","name":"zhoxingtest2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest3","name":"zhoxingtest3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest4","name":"zhoxingtest4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest5","name":"zhoxingtest5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest6","name":"zhoxingtest6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest7","name":"zhoxingtest7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest8","name":"zhoxingtest8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest9","name":"zhoxingtest9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.DataLakeStore/accounts/zuhdls","name":"zuhdls","type":"Microsoft.DataLakeStore/accounts","location":"eastus2","identity":{"principalId":"327a3561-97d1-4836-8a67-ddd60546701a","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors1","name":"zuhors1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors2","name":"zuhors2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}}]}' + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv1","name":"cheggkv1","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv3","name":"cheggkv3","type":"Microsoft.KeyVault/vaults","location":"eastus2","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi","name":"cheggmsi","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet1","name":"cheggvnet1","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet2","name":"cheggvnet2","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet3","name":"cheggvnet3","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.KeyVault/vaults/cheggkv2","name":"cheggkv2","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi2","name":"cheggmsi2","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"canadaeast","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_northcentralus","name":"NetworkWatcher_northcentralus","type":"Microsoft.Network/networkWatchers","location":"northcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2","tags":{"mockTag":"mockValue"}}]}' headers: cache-control: - no-cache content-length: - - '89556' + - '3141' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:39 GMT + - Thu, 06 Feb 2020 00:08:55 GMT expires: - '-1' pragma: @@ -70,7 +58,7 @@ interactions: ParameterSetName: - -g -n --subnet-name --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -78,7 +66,7 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_resource_scenario000001?api-version=2019-07-01 response: body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001","name":"cli_test_resource_scenario000001","type":"Microsoft.Resources/resourceGroups","location":"southcentralus","tags":{"product":"azurecli","cause":"automation","date":"2020-02-07T16:40:33Z"},"properties":{"provisioningState":"Succeeded"}}' + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001","name":"cli_test_resource_scenario000001","type":"Microsoft.Resources/resourceGroups","location":"southcentralus","tags":{"product":"azurecli","cause":"automation","date":"2020-02-06T00:08:53Z"},"properties":{"provisioningState":"Succeeded"}}' headers: cache-control: - no-cache @@ -87,7 +75,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:41 GMT + - Thu, 06 Feb 2020 00:08:56 GMT expires: - '-1' pragma: @@ -121,8 +109,8 @@ interactions: ParameterSetName: - -g -n --subnet-name --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-network/7.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: PUT @@ -130,15 +118,15 @@ interactions: response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"f3bc3eb6-59d7-4a1d-ae8c-4b0cc0a09867\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"1c2bcd2a-6c9b-42f9-b741-87514aafea5d\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {\r\n \"cli-test\": \"test\"\r\n },\r\n \"properties\": {\r\n - \ \"provisioningState\": \"Updating\",\r\n \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n + \ \"provisioningState\": \"Updating\",\r\n \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \ \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n \ ]\r\n },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n \ },\r\n \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"f3bc3eb6-59d7-4a1d-ae8c-4b0cc0a09867\\\"\",\r\n + \ \"etag\": \"W/\\\"1c2bcd2a-6c9b-42f9-b741-87514aafea5d\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Updating\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -147,7 +135,7 @@ interactions: false,\r\n \"enableVmProtection\": false\r\n }\r\n}" headers: azure-asyncoperation: - - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/e2d46a47-325e-4bcb-8eba-4274646f0e9e?api-version=2019-11-01 + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/4c4c9292-cc53-47d9-aa9e-e3ca81ddb67d?api-version=2019-09-01 cache-control: - no-cache content-length: @@ -155,7 +143,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:48 GMT + - Thu, 06 Feb 2020 00:08:58 GMT expires: - '-1' pragma: @@ -168,9 +156,9 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - a1714204-a8c4-4d8a-b001-cd20f775676f + - 448edf52-9c75-446c-a9fd-3d9354adaec9 x-ms-ratelimit-remaining-subscription-writes: - - '1194' + - '1199' status: code: 201 message: Created @@ -188,10 +176,10 @@ interactions: ParameterSetName: - -g -n --subnet-name --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-network/7.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/e2d46a47-325e-4bcb-8eba-4274646f0e9e?api-version=2019-11-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/4c4c9292-cc53-47d9-aa9e-e3ca81ddb67d?api-version=2019-09-01 response: body: string: "{\r\n \"status\": \"Succeeded\"\r\n}" @@ -203,7 +191,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:52 GMT + - Thu, 06 Feb 2020 00:09:01 GMT expires: - '-1' pragma: @@ -220,7 +208,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 80720bee-2d7a-4996-bd54-85b15a2ef2fc + - 91ff5de0-f929-45cc-91ac-69929a891ee1 status: code: 200 message: OK @@ -238,22 +226,22 @@ interactions: ParameterSetName: - -g -n --subnet-name --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-network/7.0.0 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002?api-version=2019-11-01 response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {\r\n \"cli-test\": \"test\"\r\n },\r\n \"properties\": {\r\n - \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \ \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n \ ]\r\n },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n \ },\r\n \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -268,9 +256,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:53 GMT + - Thu, 06 Feb 2020 00:09:01 GMT etag: - - W/"3b4c6c0e-8942-4a14-b39f-683d225d5ee4" + - W/"42ab806e-4d4b-42ef-a6c5-034c30a8122a" expires: - '-1' pragma: @@ -287,7 +275,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 477fa6b2-5bdb-44da-9d52-203195d164bb + - 83d4e7fc-97ab-4253-84e4-89387690bbd0 status: code: 200 message: OK @@ -303,7 +291,7 @@ interactions: Connection: - keep-alive User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -311,28 +299,16 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resources?$filter=&api-version=2019-07-01 response: body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","name":"azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","name":"azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","name":"azureclitestlinux","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestlinux/extensions/OmsAgentForLinux","name":"azureclitestlinux/OmsAgentForLinux","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","name":"azureclitestwin","type":"Microsoft.Compute/virtualMachines","location":"eastus","identity":{"principalId":"2df74268-9c56-4884-80ef-2f69781eb458","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestwin/extensions/MicrosoftMonitoringAgent","name":"azureclitestwin/MicrosoftMonitoringAgent","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.KeyVault/vaults/azureclitest-vault","name":"azureclitest-vault","type":"Microsoft.KeyVault/vaults","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/bastionHosts/azure-cli-test-bastion","name":"azure-cli-test-bastion","type":"Microsoft.Network/bastionHosts","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestlinux487","name":"azureclitestlinux487","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestwin173","name":"azureclitestwin173","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestlinux-nsg","name":"azureclitestlinux-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestwin-nsg","name":"azureclitestwin-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io","name":"privatelink.azurecr.io","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/publicIPAddresses/azure-cli-test-public-ip","name":"azure-cli-test-public-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/virtualNetworks/azure-cli-test-vnet","name":"azure-cli-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag","name":"azureclitestrgdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag180","name":"azureclitestrgdiag180","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-core-poc/providers/Microsoft.Storage/storageAccounts/azurecorepoc","name":"azurecorepoc","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/AzureSDKTest_ScheduledCleaner","name":"AzureSDKTest_ScheduledCleaner","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/TestLogicApp","name":"TestLogicApp","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/arm","name":"arm","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azureautomation","name":"azureautomation","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azuremonitorlogs","name":"azuremonitorlogs","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv5","name":"bim-kv5","type":"Microsoft.KeyVault/vaults","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv8","name":"bim-kv8","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/networkInterfaces/bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","name":"bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net","name":"privatelink.vaultcore.azure.net","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/s6s556pxon6mw","name":"privatelink.vaultcore.azure.net/s6s556pxon6mw","type":"Microsoft.Network/privateDnsZones/virtualNetworkLinks","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateEndpoints/bim-pe","name":"bim-pe","type":"Microsoft.Network/privateEndpoints","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet","name":"bim-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet1","name":"bim-vnet1","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01","name":"cli-acc-lefr-01","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01/volumes/cli-volume-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01/cli-volume-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-01-nic-9TLIIO","name":"anf-cli-vnet-lefr-01-nic-9TLIIO","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-01","name":"cli-vnet-lefr-01","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb","name":"cli-acc-4g47wcbjhikbiryb","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb/capacityPools/cli-pool-rarzmnkwtqzglj4","name":"cli-acc-4g47wcbjhikbiryb/cli-pool-rarzmnkwtqzglj4","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb/capacityPools/cli-pool-rarzmnkwtqzglj4/volumes/cli-vol-h6zuyg4c5hvxntjx","name":"cli-acc-4g47wcbjhikbiryb/cli-pool-rarzmnkwtqzglj4/cli-vol-h6zuyg4c5hvxntjx","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt","name":"cli-acc-s3ddxv7rcas6tlqt","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal/snapshots/cli-sn-xuosclazscz7mdnfm","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal/cli-sn-xuosclazscz7mdnfm","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal/snapshots/cli-sn-mst3vgtwwwlwvoxo2","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal/cli-sn-mst3vgtwwwlwvoxo2","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-02-nic-D0E288","name":"anf-cli-vnet-lefr-02-nic-D0E288","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5","name":"cli-acc-ntb2ma3l4cks2oe5","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j/volumes/cli-vol-gpl6m25se32t2drr","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j/cli-vol-gpl6m25se32t2drr","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs","name":"cli-acc-w5jx6si6ji55voxs","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op/volumes/cli-vol-53mm6v7tzhtt5ci2","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op/cli-vol-53mm6v7tzhtt5ci2","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","name":"anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/virtualNetworks/cli-vnet-mycjrnigtyehfpg","name":"cli-vnet-mycjrnigtyehfpg","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b","name":"cli-acc-nristrl3sasxf32b","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2/volumes/cli-vol-obj3h4t6irkmsznu","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2/cli-vol-obj3h4t6irkmsznu","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","name":"anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/virtualNetworks/cli-vnet-k2bku3zrpd6otc3","name":"cli-vnet-k2bku3zrpd6otc3","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.NetApp/netAppAccounts/cli-acc-xmmfui5pvv4toht4","name":"cli-acc-xmmfui5pvv4toht4","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.NetApp/netAppAccounts/cli-acc-xmmfui5pvv4toht4/capacityPools/cli-pool-cuaw3bgx4m72b4w","name":"cli-acc-xmmfui5pvv4toht4/cli-pool-cuaw3bgx4m72b4w","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.Network/virtualNetworks/cli-vnet-p72pwguegdqr24o","name":"cli-vnet-p72pwguegdqr24o","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/publicIPAddresses/gwip1","name":"gwip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westus","tags":{"foo":"boo"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_basichde6z7i6uitoprhnxhc2tcczb53v6lmwmio6622bi5r4mxh63ajmi2pt3o/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_frontend_ip_public5ai45fzxsaynqianqu4p2bxn5hnfyqeucp3lvd3hockxh/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_http_settingsdt4567buy5ceiha6k7t6tlhv3f5bbhdopzvwoytluy3dxkt7h6/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_private_ipwigllraqvruqp5jbpfefwlp7vsnoxsw424ypvgq65n5v3jjl2thxd/providers/Microsoft.Network/virtualNetworks/ag3Vnet","name":"ag3Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/virtualNetworks/gw1Vnet","name":"gw1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/publicIPAddresses/myip1","name":"myip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_rules_with_ipgroupse4upfibqoujmdn4odvtgrbuvqqgdvwd7/providers/Microsoft.Network/ipGroups/destinationipgroup","name":"destinationipgroup","type":"Microsoft.Network/ipGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_cannotdelete_resource_lockp2vpt5v2he5l5lpljydc66rxibmhoup3larmvhfp/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc2nxt66ls36dcstgfd","name":"cli.lock.rsrc2nxt66ls36dcstgfd","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclinlgstl3ndjbx","name":"eh-nsclinlgstl3ndjbx","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclipqjpqzaomo64","name":"eh-nsclipqjpqzaomo64","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclicrivl23n25yr","name":"eh-nsclicrivl23n25yr","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclig5topw26qop5","name":"eh-nsclig5topw26qop5","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscli475lksshlq57","name":"eh-nscli475lksshlq57","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscliu2aq4ygqmjba","name":"eh-nscliu2aq4ygqmjba","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_keyvault_pev5vwohwc5dirit6qvqyfeegxyzgtbpue3d4a4xukv4utxpa4fi66itm/providers/Microsoft.Network/virtualNetworks/cli-vnet-blvqpkews4d4q7d","name":"cli-vnet-blvqpkews4d4q7d","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_commands_with_idsc55ctm7bpevokevkktalaoyz2p5l4dzgkpg4qzkqms2f/providers/Microsoft.Network/virtualNetworks/cli-lock-vnet2nc4zyqpfujk7cwff","name":"cli-lock-vnet2nc4zyqpfujk7cwff","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_with_resource_id5qpr54vb6ehq2jvhrqrykzbtsecocigfrjpb7lm5khjow/providers/Microsoft.Network/virtualNetworks/cli-lock-vnetxqf2q7rcoora3rqmh","name":"cli-lock-vnetxqf2q7rcoora3rqmh","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_mixed_realitygv2l3elh76a7brm66drgektfyzfsijxog6smmqzg6dnn2r7ofuf6c/providers/Microsoft.MixedReality/spatialAnchorsAccounts/MyAccount","name":"MyAccount","type":"Microsoft.MixedReality/spatialAnchorsAccounts","location":"eastus2euap","identity":{"type":"None"},"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_readonly_resource_lock6bfvuem2zkfzr3cnurim3clv7gdf22d3ysjlfgmz52vf/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrcntcafojd6yojogsr7","name":"cli.lock.rsrcntcafojd6yojogsr7","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_id34isokctjnpwlh4b43aen7orkzdhyop6p3vc7ppqypp4p5ooz2huzak/providers/Microsoft.Network/virtualNetworks/cli_test_resource_id_vnet","name":"cli_test_resource_id_vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_link_scenariokdv5vstd4cieqqpv4oqwhgdj3dw5fsz4wgdczdaieng5/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_lockkbg3wd23f2pez5mppjtcg37ikc7fxaylmn2mu2va7u4e7ouulk5ar/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc3tk6yei5iyvhkrqlm","name":"cli.lock.rsrc3tk6yei5iyvhkrqlm","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliaqfra2n2au2q","name":"sb-nscliaqfra2n2au2q","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliqhxbpvrow6v6","name":"sb-nscliqhxbpvrow6v6","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nsclirfgvnl4guyma","name":"sb-nsclirfgvnl4guyma","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nscliucbt7pri3etf","name":"sb-nscliucbt7pri3etf","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router4jftwvqg7c4qf5cl3equryyrich6sye6mu3ab27focv2xez3nrvf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router6ah44hkwaiunishzfuakmk5j5tyguwqurycesvryomjcsmjcc3p3/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router73dbgjwlekowfnjih5ovae4bmu67izrdit2jebvknbqfgtvi3fne/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router7cibbvfjttlgg6zw3z5yxqbgc3lzjyfzoowpvfct7grmsrch5xtx/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerdr74a62ccu2ctpd6p56d4jrg6u4nxcmdjb4w445u4llvpmhbq2wi/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routeri2y6ofthh2s7lli2hn6duuoskl7f4zt73faffn6oi6wlioswhbhp/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerrwfem26esani3ontudyvh6glkoyc5xncjnzxg5j6z4mfiphsuh5e/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routert4sl4vlahkzkcf66gopghh6emixxvcxilh5ztirviuxg6lqoyoc4/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routervbaalksbo2ix37kt34tq3p5y7g4ywwh2mr2qqgxwio6ii2xm5qhb/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerw43o33exwyp6rxe6dh6qnw4o2rwsxabnftuzapcb2hvajghh33de/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerwiw43ukelamlqitzkvo2kkirlniy6nhcrydg3qtwapx6koz7hfgf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerxcouawbpkduxdg5xbsn3casuh7q3cvf2unu367kruseazch4w3di/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routery7hke7smvznjb6jyeiiyo6vmcswslr34p2anmj2c3zs25osa4ec7/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/loadBalancers/vmss123LB","name":"vmss123LB","type":"Microsoft.Network/loadBalancers","sku":{"name":"Standard"},"location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/networkSecurityGroups/vmss123NSG","name":"vmss123NSG","type":"Microsoft.Network/networkSecurityGroups","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/publicIPAddresses/vmss123LBPublicIP","name":"vmss123LBPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus2","zones":["2"],"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/virtualNetworks/vmss123VNET","name":"vmss123VNET","type":"Microsoft.Network/virtualNetworks","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg2qgvxjxy46scnjuh6q5gtypebpi5oeuajfgxb7yrrsggnqxrij6pnc3d7ybz2chih/providers/Microsoft.RecoveryServices/vaults/clitest-vaultcriakztggjr","name":"clitest-vaultcriakztggjr","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg35pihforqftkb5qllg3t75zoxlztjwsmuftgdsphbiy2r3adx3t3spnkzzs2c5c4s/providers/Microsoft.RecoveryServices/vaults/clitest-vaultonvx2gbjtjz","name":"clitest-vaultonvx2gbjtjz","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg3s3h2izedr4olwdk4jqjhltn4lkukfixgfalhtfjmiy6u3xndqvdkrr4j4jqhx6hu/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjs23w5bobvn","name":"clitest-vaultjs23w5bobvn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.RecoveryServices/vaults/clitest-vault37l77wc5c65","name":"clitest-vault37l77wc5c65","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.Storage/storageAccounts/clitestu3p7a7ib4n4y7gt4m","name":"clitestu3p7a7ib4n4y7gt4m","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6mxjzuorkskzxoisjj4q7leopfu5mge2nncxfuw33pn7w5rzgt6nqhx3f2koq427p/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqcbszkdhprt","name":"clitest-vaultqcbszkdhprt","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgduxuhyeqzrek7s3jfr776qvugv4qtmrxnlqcwiodxu2wihvqvuajr5bvtbfw2c74d/providers/Microsoft.RecoveryServices/vaults/clitest-vaultvgik7njuazq","name":"clitest-vaultvgik7njuazq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgdzk3w2kpwtbjaippkz6nrab53pinz3nbdcoxurf2fm477d5j2qa43kpmvlh34nudn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultijxt4x4hr4n","name":"clitest-vaultijxt4x4hr4n","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgeklv32akhatp5eikltrbwu3nv7knshqr3ftxpzao7mqusloghl7zsduclggbkqpyg/providers/Microsoft.ContainerRegistry/registries/clireghnxtzih6elkkp7","name":"clireghnxtzih6elkkp7","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Standard","tier":"Standard"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgib3viqdhrawwnaopavpcsc2u3psfod7wlami5tg57borlex2io2b7nolpz4qxhm5p/providers/Microsoft.RecoveryServices/vaults/clitest-vaulte5qqz3zjihv","name":"clitest-vaulte5qqz3zjihv","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgljk7owl4ldwt37zws4grwrer6zjnyeqczgvqzr4vcrrhju7sv5a2sc567rezz2q7b/providers/Microsoft.ContainerRegistry/registries/cliregcn7lqgzmomxrit","name":"cliregcn7lqgzmomxrit","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Premium","tier":"Premium"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgmjjmywipmiqslgzl7tzax3aje4fcv3q5xr2h7hulg63ehpwno2mu7ij7dokxqbh5x/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqofbmffwsre","name":"clitest-vaultqofbmffwsre","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgp535jz2dxemblsqlvzwsk4ehth7eprd5yny22fi5rppnick62nncsonvlutvmvbje/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsqo77eexzn","name":"clitest-vaulttsqo77eexzn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgr5sog7j3q3a5o2vy3r4gpl3ylcovxfcbkttkotqe653iz4mlsrbjns76tv4v4lbqq/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfe6e244jgwn","name":"clitest-vaultfe6e244jgwn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rguk5hr7imq2zbvjzaogkt7gke2onbbn6sr3ux5rfdiqufofpfrmblbmbzrtd663lkn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfiskwqfysgb","name":"clitest-vaultfiskwqfysgb","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgyreu2qkpgqyrm56i4cocrrcf5xb2uzmvlm2lau226cqk6zetyu5olii7figpx2mix/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsindhzqq4y","name":"clitest-vaulttsindhzqq4y","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgzj3xc6lmggzuorcimokxvkq7lrrxtcty3dilmrxzwdjcq35dqahmc7e7snha4milh/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjlixfyp46tq","name":"clitest-vaultjlixfyp46tq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cloud-shell-storage-westus/providers/Microsoft.Storage/storageAccounts/cs40b1f64711bf0x4ddaxaec","name":"cs40b1f64711bf0x4ddaxaec","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cls_test_adls_fileagud65zszgmmhrjitvc3xrvbjqgzo6e2k6hz6q32xaahz3liu6bllegbz/providers/Microsoft.DataLakeStore/accounts/cliadls7i4c6a3r2irkh5ezr","name":"cliadls7i4c6a3r2irkh5ezr","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/CliGtTestVnet6623","name":"CliGtTestVnet6623","type":"Microsoft.ClassicNetwork/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/networkInterfaces/sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","name":"sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/privateLinkServices/sdfsdfsdf","name":"sdfsdfsdf","type":"Microsoft.Network/privateLinkServices","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/virtualNetworks/vnettest","name":"vnettest","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.alertsmanagement/smartDetectorAlertRules/Failure - Anomalies - fengwsinsightsf6615a96b9","name":"Failure Anomalies - fengwsinsightsf6615a96b9","type":"microsoft.alertsmanagement/smartDetectorAlertRules","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/actiongroups/Application - Insights Smart Detection","name":"Application Insights Smart Detection","type":"microsoft.insights/actiongroups","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/components/fengwsinsightsf6615a96b9","name":"fengwsinsightsf6615a96b9","type":"microsoft.insights/components","kind":"web","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.KeyVault/vaults/fengwskeyvault7b56d2ee87","name":"fengwskeyvault7b56d2ee87","type":"Microsoft.KeyVault/vaults","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.MachineLearningServices/workspaces/feng-ws","name":"feng-ws","type":"Microsoft.MachineLearningServices/workspaces","sku":{"name":"Basic","tier":"Basic"},"location":"westus2","identity":{"principalId":"e08a42f0-29de-46db-a246-9e14da9a92eb","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/feng-test-space","name":"feng-test-space","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2","name":"my-test-space-2","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-1","name":"my-test-space-2/my-hub-1","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-2","name":"my-test-space-2/my-hub-2","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-3","name":"my-test-space-3","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengsa","name":"fengsa","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengwsstorage28dfde17cb1","name":"fengwsstorage28dfde17cb1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/diskEncryptionSets/des1","name":"des1","type":"Microsoft.Compute/diskEncryptionSets","location":"centraluseuap","identity":{"principalId":"972fc458-2d2c-4db5-936b-2d7064770777","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/disks/disk1","name":"disk1","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/FYTEST/providers/Microsoft.Compute/disks/vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","name":"vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/snapshots/s1","name":"s1","type":"Microsoft.Compute/snapshots","sku":{"name":"Standard_LRS","tier":"Standard"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","name":"vm","type":"Microsoft.Compute/virtualMachines","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.KeyVault/vaults/vault4848","name":"vault4848","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkInterfaces/vmVMNic","name":"vmVMNic","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkSecurityGroups/vmNSG","name":"vmNSG","type":"Microsoft.Network/networkSecurityGroups","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/publicIPAddresses/vmPublicIP","name":"vmPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/virtualNetworks/vmVNET","name":"vmVNET","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","name":"harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","name":"harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","name":"harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","name":"harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","name":"harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","name":"harold-cm-vm-01","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-01/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","name":"harold-cm-vm-02","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-02/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","name":"harold-cm-vm-03","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-03/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","name":"harold-cm-vm-04","type":"Microsoft.Compute/virtualMachines","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-04/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","name":"harold-cm-vm-05","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-05/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-01235","name":"harold-cm-vm-01235","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0243","name":"harold-cm-vm-0243","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-03344","name":"harold-cm-vm-03344","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0489","name":"harold-cm-vm-0489","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-05892","name":"harold-cm-vm-05892","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-01-nsg","name":"harold-cm-vm-01-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-02-nsg","name":"harold-cm-vm-02-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-03-nsg","name":"harold-cm-vm-03-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-04-nsg","name":"harold-cm-vm-04-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-05-nsg","name":"harold-cm-vm-05-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-01-ip","name":"harold-cm-vm-01-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-02-ip","name":"harold-cm-vm-02-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-03-ip","name":"harold-cm-vm-03-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-04-ip","name":"harold-cm-vm-04-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-05-ip","name":"harold-cm-vm-05-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/harold-test-vnet","name":"harold-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet745","name":"haroldtestvnet745","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet914","name":"haroldtestvnet914","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.OperationalInsights/workspaces/harold-log-analysis","name":"harold-log-analysis","type":"Microsoft.OperationalInsights/workspaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag","name":"haroldtestdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag482","name":"haroldtestdiag482","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag596","name":"haroldtestdiag596","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/javacsmrg46947/providers/Microsoft.EventHub/namespaces/ns1305011933","name":"ns1305011933","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.KeyVault/vaults/jlkv0130","name":"jlkv0130","type":"Microsoft.KeyVault/vaults","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.Storage/storageAccounts/jlcsst","name":"jlcsst","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/JLVM2RG/providers/Microsoft.Compute/disks/jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","name":"jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","name":"jlvm2","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkInterfaces/jlvm2980","name":"jlvm2980","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkSecurityGroups/jlvm2-nsg","name":"jlvm2-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/publicIPAddresses/jlvm2-ip","name":"jlvm2-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/virtualNetworks/jlvm2rg-vnet","name":"jlvm2rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_canadaeast","name":"NetworkWatcher_canadaeast","type":"Microsoft.Network/networkWatchers","location":"canadaeast"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centralus","name":"NetworkWatcher_centralus","type":"Microsoft.Network/networkWatchers","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centraluseuap","name":"NetworkWatcher_centraluseuap","type":"Microsoft.Network/networkWatchers","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastasia","name":"NetworkWatcher_eastasia","type":"Microsoft.Network/networkWatchers","location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2","name":"NetworkWatcher_eastus2","type":"Microsoft.Network/networkWatchers","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southeastasia","name":"NetworkWatcher_southeastasia","type":"Microsoft.Network/networkWatchers","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus","name":"NetworkWatcher_westcentralus","type":"Microsoft.Network/networkWatchers","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus","name":"NetworkWatcher_westus","type":"Microsoft.Network/networkWatchers","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/serverFarms/bookstore-westus2","name":"bookstore-westus2","type":"Microsoft.Web/serverFarms","sku":{"name":"P1v2","tier":"PremiumV2","size":"P1v2","family":"Pv2","capacity":1},"kind":"linux","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/sites/emerald-bookstore","name":"emerald-bookstore","type":"Microsoft.Web/sites","kind":"app,linux","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTESTRG2BDF0168/providers/Microsoft.Compute/disks/PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","name":"PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","name":"PSTestVM2bdf00","type":"Microsoft.Compute/virtualMachines","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkInterfaces/PSTestNIC2bdf00","name":"PSTestNIC2bdf00","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkSecurityGroups/PSTestNSG2bdf00","name":"PSTestNSG2bdf00","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/publicIPAddresses/pstestpublicdns2bdf00","name":"pstestpublicdns2bdf00","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/virtualNetworks/PSTestVNET2bdf00","name":"PSTestVNET2bdf00","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/QIANWENS/providers/Microsoft.Compute/disks/qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","name":"qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","name":"qianwen-ubuntu","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkInterfaces/qianwen-ubuntu473","name":"qianwen-ubuntu473","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkSecurityGroups/qianwen-ubuntu-nsg","name":"qianwen-ubuntu-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/publicIPAddresses/qianwen-ubuntu-ip","name":"qianwen-ubuntu-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/virtualNetworks/qianwens-vnet","name":"qianwens-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Storage/storageAccounts/qianwensdiag","name":"qianwensdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/networkInterfaces/anf-sdk-vnet-nic-VLB5RZ","name":"anf-sdk-vnet-nic-VLB5RZ","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/virtualNetworks/sdk-vnet","name":"sdk-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro1","name":"storagesfrepro1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro10","name":"storagesfrepro10","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro11","name":"storagesfrepro11","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro12","name":"storagesfrepro12","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro13","name":"storagesfrepro13","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro14","name":"storagesfrepro14","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro15","name":"storagesfrepro15","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro16","name":"storagesfrepro16","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro17","name":"storagesfrepro17","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro18","name":"storagesfrepro18","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro19","name":"storagesfrepro19","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro2","name":"storagesfrepro2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro20","name":"storagesfrepro20","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro21","name":"storagesfrepro21","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro22","name":"storagesfrepro22","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro23","name":"storagesfrepro23","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro24","name":"storagesfrepro24","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro25","name":"storagesfrepro25","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro3","name":"storagesfrepro3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro4","name":"storagesfrepro4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro5","name":"storagesfrepro5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro6","name":"storagesfrepro6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro7","name":"storagesfrepro7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro8","name":"storagesfrepro8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro9","name":"storagesfrepro9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xiaojianxu/providers/Microsoft.RecoveryServices/vaults/vault418","name":"vault418","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"RS0","tier":"Standard"},"location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Batch/batchAccounts/yeming","name":"yeming","type":"Microsoft.Batch/batchAccounts","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.DataLakeStore/accounts/yemingdatalake","name":"yemingdatalake","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.KeyVault/vaults/yeming","name":"yeming","type":"Microsoft.KeyVault/vaults","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Storage/storageAccounts/yeming","name":"yeming","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/YU-TEST-RG/providers/Microsoft.Compute/disks/yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","name":"yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","name":"yu-vm-file-sync","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkInterfaces/yu-vm-file-sync535","name":"yu-vm-file-sync535","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkSecurityGroups/yu-vm-file-sync-nsg","name":"yu-vm-file-sync-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/publicIPAddresses/yu-vm-file-sync-ip","name":"yu-vm-file-sync-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/virtualNetworks/yu-test-rg-vnet","name":"yu-test-rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Storage/storageAccounts/yustorageaccountforsync","name":"yustorageaccountforsync","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.StorageSync/storageSyncServices/yu-storage-sync","name":"yu-storage-sync","type":"Microsoft.StorageSync/storageSyncServices","location":"eastus","tags":{"zhoxing_test":"1"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.ApiManagement/service/test-serv","name":"test-serv","type":"Microsoft.ApiManagement/service","sku":{"name":"Developer","capacity":1},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest","name":"zhoxingtest","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest2","name":"zhoxingtest2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest3","name":"zhoxingtest3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest4","name":"zhoxingtest4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest5","name":"zhoxingtest5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest6","name":"zhoxingtest6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest7","name":"zhoxingtest7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest8","name":"zhoxingtest8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest9","name":"zhoxingtest9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.DataLakeStore/accounts/zuhdls","name":"zuhdls","type":"Microsoft.DataLakeStore/accounts","location":"eastus2","identity":{"principalId":"327a3561-97d1-4836-8a67-ddd60546701a","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors1","name":"zuhors1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors2","name":"zuhors2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}}]}' + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv1","name":"cheggkv1","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv3","name":"cheggkv3","type":"Microsoft.KeyVault/vaults","location":"eastus2","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi","name":"cheggmsi","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet1","name":"cheggvnet1","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet2","name":"cheggvnet2","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet3","name":"cheggvnet3","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.KeyVault/vaults/cheggkv2","name":"cheggkv2","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi2","name":"cheggmsi2","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"canadaeast","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_northcentralus","name":"NetworkWatcher_northcentralus","type":"Microsoft.Network/networkWatchers","location":"northcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2","tags":{"mockTag":"mockValue"}}]}' headers: cache-control: - no-cache content-length: - - '93047' + - '3506' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:53 GMT + - Thu, 06 Feb 2020 00:09:01 GMT expires: - '-1' pragma: @@ -360,7 +336,7 @@ interactions: ParameterSetName: - -l User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -368,21 +344,16 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resources?$filter=location%20eq%20%27southcentralus%27&api-version=2019-07-01 response: body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclinlgstl3ndjbx","name":"eh-nsclinlgstl3ndjbx","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclicrivl23n25yr","name":"eh-nsclicrivl23n25yr","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscli475lksshlq57","name":"eh-nscli475lksshlq57","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliaqfra2n2au2q","name":"sb-nscliaqfra2n2au2q","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nscliucbt7pri3etf","name":"sb-nscliucbt7pri3etf","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2","name":"my-test-space-2","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-1","name":"my-test-space-2/my-hub-1","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-2","name":"my-test-space-2/my-hub-2","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-3","name":"my-test-space-3","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/javacsmrg46947/providers/Microsoft.EventHub/namespaces/ns1305011933","name":"ns1305011933","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus"}]}' + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus","tags":{"mockTag":"mockValue"}}]}' headers: cache-control: - no-cache content-length: - - '4258' + - '684' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:54 GMT + - Thu, 06 Feb 2020 00:09:01 GMT expires: - '-1' pragma: @@ -410,7 +381,7 @@ interactions: ParameterSetName: - --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -418,16 +389,16 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resources?$filter=resourceType%20eq%20%27Microsoft.Network%2FvirtualNetworks%27&api-version=2019-07-01 response: body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/virtualNetworks/azure-cli-test-vnet","name":"azure-cli-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet","name":"bim-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet1","name":"bim-vnet1","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-01","name":"cli-vnet-lefr-01","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/virtualNetworks/cli-vnet-mycjrnigtyehfpg","name":"cli-vnet-mycjrnigtyehfpg","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/virtualNetworks/cli-vnet-k2bku3zrpd6otc3","name":"cli-vnet-k2bku3zrpd6otc3","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.Network/virtualNetworks/cli-vnet-p72pwguegdqr24o","name":"cli-vnet-p72pwguegdqr24o","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_basichde6z7i6uitoprhnxhc2tcczb53v6lmwmio6622bi5r4mxh63ajmi2pt3o/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_frontend_ip_public5ai45fzxsaynqianqu4p2bxn5hnfyqeucp3lvd3hockxh/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_http_settingsdt4567buy5ceiha6k7t6tlhv3f5bbhdopzvwoytluy3dxkt7h6/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_private_ipwigllraqvruqp5jbpfefwlp7vsnoxsw424ypvgq65n5v3jjl2thxd/providers/Microsoft.Network/virtualNetworks/ag3Vnet","name":"ag3Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/virtualNetworks/gw1Vnet","name":"gw1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_cannotdelete_resource_lockp2vpt5v2he5l5lpljydc66rxibmhoup3larmvhfp/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc2nxt66ls36dcstgfd","name":"cli.lock.rsrc2nxt66ls36dcstgfd","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_keyvault_pev5vwohwc5dirit6qvqyfeegxyzgtbpue3d4a4xukv4utxpa4fi66itm/providers/Microsoft.Network/virtualNetworks/cli-vnet-blvqpkews4d4q7d","name":"cli-vnet-blvqpkews4d4q7d","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_commands_with_idsc55ctm7bpevokevkktalaoyz2p5l4dzgkpg4qzkqms2f/providers/Microsoft.Network/virtualNetworks/cli-lock-vnet2nc4zyqpfujk7cwff","name":"cli-lock-vnet2nc4zyqpfujk7cwff","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_with_resource_id5qpr54vb6ehq2jvhrqrykzbtsecocigfrjpb7lm5khjow/providers/Microsoft.Network/virtualNetworks/cli-lock-vnetxqf2q7rcoora3rqmh","name":"cli-lock-vnetxqf2q7rcoora3rqmh","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_msi_no_scopefa5injgnsnwryna2d2pzwodyox6xdi37zj5bme3fvrjumzvh653k4v/providers/Microsoft.Network/virtualNetworks/vm1VNET","name":"vm1VNET","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_readonly_resource_lock6bfvuem2zkfzr3cnurim3clv7gdf22d3ysjlfgmz52vf/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrcntcafojd6yojogsr7","name":"cli.lock.rsrcntcafojd6yojogsr7","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_id34isokctjnpwlh4b43aen7orkzdhyop6p3vc7ppqypp4p5ooz2huzak/providers/Microsoft.Network/virtualNetworks/cli_test_resource_id_vnet","name":"cli_test_resource_id_vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_link_scenariokdv5vstd4cieqqpv4oqwhgdj3dw5fsz4wgdczdaieng5/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_lockkbg3wd23f2pez5mppjtcg37ikc7fxaylmn2mu2va7u4e7ouulk5ar/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc3tk6yei5iyvhkrqlm","name":"cli.lock.rsrc3tk6yei5iyvhkrqlm","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/virtualNetworks/vmss123VNET","name":"vmss123VNET","type":"Microsoft.Network/virtualNetworks","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/virtualNetworks/vnettest","name":"vnettest","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/virtualNetworks/vmVNET","name":"vmVNET","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/harold-test-vnet","name":"harold-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet745","name":"haroldtestvnet745","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet914","name":"haroldtestvnet914","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/virtualNetworks/jlvm2rg-vnet","name":"jlvm2rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/virtualNetworks/PSTestVNET2bdf00","name":"PSTestVNET2bdf00","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/virtualNetworks/qianwens-vnet","name":"qianwens-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/virtualNetworks/sdk-vnet","name":"sdk-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/virtualNetworks/yu-test-rg-vnet","name":"yu-test-rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus"}]}' + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet1","name":"cheggvnet1","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet2","name":"cheggvnet2","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet3","name":"cheggvnet3","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002","name":"vnet-000002","type":"Microsoft.Network/virtualNetworks","location":"southcentralus","tags":{"cli-test":"test"}}]}' headers: cache-control: - no-cache content-length: - - '11896' + - '1099' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:56 GMT + - Thu, 06 Feb 2020 00:09:02 GMT expires: - '-1' pragma: @@ -455,7 +426,7 @@ interactions: ParameterSetName: - --name User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -472,7 +443,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:56 GMT + - Thu, 06 Feb 2020 00:09:03 GMT expires: - '-1' pragma: @@ -500,7 +471,7 @@ interactions: ParameterSetName: - --tag User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -517,7 +488,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:57 GMT + - Thu, 06 Feb 2020 00:09:03 GMT expires: - '-1' pragma: @@ -545,7 +516,7 @@ interactions: ParameterSetName: - --tag User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -562,7 +533,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:40:58 GMT + - Thu, 06 Feb 2020 00:09:04 GMT expires: - '-1' pragma: @@ -590,7 +561,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -605,7 +576,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPAddresses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -613,13 +584,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkInterfaces","locations":["West @@ -629,7 +599,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateEndpoints","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -637,7 +607,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateEndpointRedirectMaps","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -645,7 +615,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"loadBalancers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -653,7 +623,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -661,7 +631,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -669,7 +639,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"serviceEndpointPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -677,7 +647,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkIntentPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -685,7 +655,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","France South","Australia Central","South Africa North","UAE North","Switzerland North","Germany - West Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, + West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"routeTables","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -693,7 +663,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPPrefixes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -701,13 +671,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ddosCustomPolicies","locations":["West @@ -717,7 +686,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -725,7 +694,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/connectionMonitors","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -733,7 +702,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/flowLogs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -741,7 +710,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/lenses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -749,7 +718,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/pingMeshes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -757,7 +726,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"virtualNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -765,7 +734,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"localNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -773,7 +742,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"connections","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -781,7 +750,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -789,13 +758,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"applicationGatewayWebApplicationFirewallPolicies","locations":["West @@ -805,7 +773,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"locations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/CheckDnsNameAvailability","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -813,98 +781,98 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"dnsOperationResults","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnsOperationStatuses","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"getDnsResourceReference","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"internalNotify","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/A","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/AAAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CNAME","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/PTR","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/MX","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/TXT","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SRV","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SOA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/NS","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/recordsets","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/all","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"privateDnsZones","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsZones/virtualNetworkLinks","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsOperationResults","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsOperationStatuses","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/A","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/AAAA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/CNAME","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/PTR","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/MX","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/TXT","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SRV","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SOA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/all","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"trafficmanagerprofiles","locations":["global"],"apiVersions":["2018-08-01","2018-04-01","2018-03-01","2018-02-01","2017-05-01","2017-03-01","2015-11-01","2015-04-28-preview"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, @@ -915,7 +883,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteServiceProviders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableWafRuleSets","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableSslOptions","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableServerVariables","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableRequestHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableResponseHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"routeFilters","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -923,7 +891,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"bgpServiceCommunities","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"capabilities":"None"},{"resourceType":"virtualWans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -931,7 +899,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnSites","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -939,15 +907,14 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnServerConfigurations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South - Africa North","Switzerland North","Germany West Central","Norway East","Central - US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + Africa North","Switzerland North","Germany West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"virtualHubs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -955,7 +922,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -963,7 +930,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"p2sVpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -971,7 +938,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","UAE North","South Africa North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -979,39 +946,20 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"firewallPolicies","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"defaultApiVersion":"2019-06-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ipGroups","locations":["UAE - North","Australia Central 2","UAE Central","Germany North","Central India","Korea - South","Switzerland North","Switzerland West","Japan West","France South","South - Africa West","West India","Canada East","South India","Germany West Central","Norway - East","Norway West","South Africa North","East Asia","Southeast Asia","Korea - Central","Brazil South","Japan East","UK West","West US","East US","North - Europe","West Europe","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","West Central US","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","France Central","Australia Central","Japan West","Japan East","Korea Central","Korea South","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"azureFirewallFqdnTags","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"capabilities":"None"},{"resourceType":"virtualNetworkTaps","locations":["West @@ -1021,7 +969,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1029,7 +977,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"ddosProtectionPlans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1037,7 +985,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"networkProfiles","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1045,70 +993,58 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"webApplicationFirewallPolicies","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"locations/bareMetalTenants","locations":["West + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","West + US 2","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan + West","Brazil South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/bareMetalTenants","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"virtualRouters","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"natGateways","locations":["Central - US EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"defaultApiVersion":"2018-11-01","zoneMappings":[{"location":"Central - US EUAP","zones":["1","2"]}],"capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","North Europe","West Europe","East - Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-05-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"webApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","West US 2","North Europe","West - Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"virtualRouters","locations":["West US","East + US","North Europe","West Europe","West Central US","South Central US","Australia + East","Australia Central","Australia Southeast","UK South","East US 2","West + US 2","North Central US","Canada Central","France Central","Central US"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '77426' + - '72400' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:00 GMT + - Thu, 06 Feb 2020 00:09:05 GMT expires: - '-1' pragma: @@ -1136,7 +1072,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -1145,15 +1081,15 @@ interactions: response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {\r\n \"cli-test\": \"test\"\r\n },\r\n \"properties\": {\r\n - \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \ \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n \ ]\r\n },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n \ },\r\n \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -1168,9 +1104,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:00 GMT + - Thu, 06 Feb 2020 00:09:05 GMT etag: - - W/"3b4c6c0e-8942-4a14-b39f-683d225d5ee4" + - W/"42ab806e-4d4b-42ef-a6c5-034c30a8122a" expires: - '-1' pragma: @@ -1187,7 +1123,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - abe86edc-0b17-42b7-8d44-1fdb2ebbc8d3 + - ded347e6-7ac0-4c11-a02a-ed7b2a8d0807 status: code: 200 message: OK @@ -1205,7 +1141,7 @@ interactions: ParameterSetName: - -n -g --namespace --parent --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -1220,7 +1156,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPAddresses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1228,13 +1164,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkInterfaces","locations":["West @@ -1244,7 +1179,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateEndpoints","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1252,7 +1187,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateEndpointRedirectMaps","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1260,7 +1195,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"loadBalancers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1268,7 +1203,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1276,7 +1211,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1284,7 +1219,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"serviceEndpointPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1292,7 +1227,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkIntentPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1300,7 +1235,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","France South","Australia Central","South Africa North","UAE North","Switzerland North","Germany - West Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, + West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"routeTables","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1308,7 +1243,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPPrefixes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1316,13 +1251,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ddosCustomPolicies","locations":["West @@ -1332,7 +1266,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1340,7 +1274,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/connectionMonitors","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1348,7 +1282,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/flowLogs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1356,7 +1290,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/lenses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1364,7 +1298,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/pingMeshes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1372,7 +1306,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"virtualNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1380,7 +1314,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"localNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1388,7 +1322,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"connections","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1396,7 +1330,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1404,13 +1338,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"applicationGatewayWebApplicationFirewallPolicies","locations":["West @@ -1420,7 +1353,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"locations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/CheckDnsNameAvailability","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1428,98 +1361,98 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"dnsOperationResults","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnsOperationStatuses","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"getDnsResourceReference","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"internalNotify","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/A","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/AAAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CNAME","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/PTR","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/MX","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/TXT","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SRV","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SOA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/NS","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/recordsets","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/all","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"privateDnsZones","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsZones/virtualNetworkLinks","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsOperationResults","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsOperationStatuses","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/A","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/AAAA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/CNAME","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/PTR","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/MX","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/TXT","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SRV","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SOA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/all","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"trafficmanagerprofiles","locations":["global"],"apiVersions":["2018-08-01","2018-04-01","2018-03-01","2018-02-01","2017-05-01","2017-03-01","2015-11-01","2015-04-28-preview"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, @@ -1530,7 +1463,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteServiceProviders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableWafRuleSets","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableSslOptions","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableServerVariables","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableRequestHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableResponseHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"routeFilters","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1538,7 +1471,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"bgpServiceCommunities","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"capabilities":"None"},{"resourceType":"virtualWans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1546,7 +1479,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnSites","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1554,15 +1487,14 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnServerConfigurations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South - Africa North","Switzerland North","Germany West Central","Norway East","Central - US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + Africa North","Switzerland North","Germany West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"virtualHubs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1570,7 +1502,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1578,7 +1510,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"p2sVpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1586,7 +1518,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","UAE North","South Africa North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1594,39 +1526,20 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"firewallPolicies","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"defaultApiVersion":"2019-06-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ipGroups","locations":["UAE - North","Australia Central 2","UAE Central","Germany North","Central India","Korea - South","Switzerland North","Switzerland West","Japan West","France South","South - Africa West","West India","Canada East","South India","Germany West Central","Norway - East","Norway West","South Africa North","East Asia","Southeast Asia","Korea - Central","Brazil South","Japan East","UK West","West US","East US","North - Europe","West Europe","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","West Central US","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","France Central","Australia Central","Japan West","Japan East","Korea Central","Korea South","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"azureFirewallFqdnTags","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"capabilities":"None"},{"resourceType":"virtualNetworkTaps","locations":["West @@ -1636,7 +1549,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1644,7 +1557,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"ddosProtectionPlans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1652,7 +1565,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"networkProfiles","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1660,70 +1573,58 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"webApplicationFirewallPolicies","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"locations/bareMetalTenants","locations":["West + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","West + US 2","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan + West","Brazil South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/bareMetalTenants","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"virtualRouters","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"natGateways","locations":["Central - US EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"defaultApiVersion":"2018-11-01","zoneMappings":[{"location":"Central - US EUAP","zones":["1","2"]}],"capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","North Europe","West Europe","East - Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-05-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"webApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","West US 2","North Europe","West - Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"virtualRouters","locations":["West US","East + US","North Europe","West Europe","West Central US","South Central US","Australia + East","Australia Central","Australia Southeast","UK South","East US 2","West + US 2","North Central US","Canada Central","France Central","Central US"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '77426' + - '72400' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:01 GMT + - Thu, 06 Feb 2020 00:09:06 GMT expires: - '-1' pragma: @@ -1751,7 +1652,7 @@ interactions: ParameterSetName: - -n -g --namespace --parent --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -1760,7 +1661,7 @@ interactions: response: body: string: "{\r\n \"name\": \"subnet-000003\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n \"properties\": + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"addressPrefix\": \"10.0.0.0/24\",\r\n \ \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \ \"privateLinkServiceNetworkPolicies\": \"Enabled\"\r\n },\r\n \"type\": @@ -1773,9 +1674,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:02 GMT + - Thu, 06 Feb 2020 00:09:06 GMT etag: - - W/"3b4c6c0e-8942-4a14-b39f-683d225d5ee4" + - W/"42ab806e-4d4b-42ef-a6c5-034c30a8122a" expires: - '-1' pragma: @@ -1792,7 +1693,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 674f6aae-c97b-4ccf-9b63-af57b617aeea + - 75da08e6-949b-40ac-8e56-0b1d201fc152 status: code: 200 message: OK @@ -1810,7 +1711,7 @@ interactions: ParameterSetName: - -n -g --resource-type --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -1825,7 +1726,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPAddresses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1833,13 +1734,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkInterfaces","locations":["West @@ -1849,7 +1749,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateEndpoints","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1857,7 +1757,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateEndpointRedirectMaps","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1865,7 +1765,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"loadBalancers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -1873,7 +1773,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1881,7 +1781,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1889,7 +1789,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"serviceEndpointPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1897,7 +1797,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkIntentPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1905,7 +1805,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","France South","Australia Central","South Africa North","UAE North","Switzerland North","Germany - West Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, + West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"routeTables","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1913,7 +1813,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPPrefixes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1921,13 +1821,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ddosCustomPolicies","locations":["West @@ -1937,7 +1836,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1945,7 +1844,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/connectionMonitors","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1953,7 +1852,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/flowLogs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1961,7 +1860,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/lenses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1969,7 +1868,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/pingMeshes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1977,7 +1876,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"virtualNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1985,7 +1884,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"localNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -1993,7 +1892,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"connections","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2001,7 +1900,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2009,13 +1908,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"applicationGatewayWebApplicationFirewallPolicies","locations":["West @@ -2025,7 +1923,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"locations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/CheckDnsNameAvailability","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2033,98 +1931,98 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"dnsOperationResults","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnsOperationStatuses","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"getDnsResourceReference","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"internalNotify","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/A","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/AAAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CNAME","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/PTR","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/MX","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/TXT","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SRV","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SOA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/NS","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/recordsets","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/all","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"privateDnsZones","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsZones/virtualNetworkLinks","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsOperationResults","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsOperationStatuses","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/A","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/AAAA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/CNAME","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/PTR","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/MX","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/TXT","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SRV","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SOA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/all","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"trafficmanagerprofiles","locations":["global"],"apiVersions":["2018-08-01","2018-04-01","2018-03-01","2018-02-01","2017-05-01","2017-03-01","2015-11-01","2015-04-28-preview"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, @@ -2135,7 +2033,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteServiceProviders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableWafRuleSets","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableSslOptions","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableServerVariables","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableRequestHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableResponseHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"routeFilters","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2143,7 +2041,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"bgpServiceCommunities","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"capabilities":"None"},{"resourceType":"virtualWans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2151,7 +2049,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnSites","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2159,15 +2057,14 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnServerConfigurations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South - Africa North","Switzerland North","Germany West Central","Norway East","Central - US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + Africa North","Switzerland North","Germany West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"virtualHubs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2175,7 +2072,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2183,7 +2080,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"p2sVpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2191,7 +2088,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","UAE North","South Africa North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2199,39 +2096,20 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"firewallPolicies","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"defaultApiVersion":"2019-06-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ipGroups","locations":["UAE - North","Australia Central 2","UAE Central","Germany North","Central India","Korea - South","Switzerland North","Switzerland West","Japan West","France South","South - Africa West","West India","Canada East","South India","Germany West Central","Norway - East","Norway West","South Africa North","East Asia","Southeast Asia","Korea - Central","Brazil South","Japan East","UK West","West US","East US","North - Europe","West Europe","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","West Central US","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","France Central","Australia Central","Japan West","Japan East","Korea Central","Korea South","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"azureFirewallFqdnTags","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"capabilities":"None"},{"resourceType":"virtualNetworkTaps","locations":["West @@ -2241,7 +2119,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2249,7 +2127,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"ddosProtectionPlans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2257,7 +2135,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"networkProfiles","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2265,70 +2143,58 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"locations/bareMetalTenants","locations":["West + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"webApplicationFirewallPolicies","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","West + US 2","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan + West","Brazil South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/bareMetalTenants","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"virtualRouters","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"natGateways","locations":["Central - US EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"defaultApiVersion":"2018-11-01","zoneMappings":[{"location":"Central - US EUAP","zones":["1","2"]}],"capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","North Europe","West Europe","East - Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-05-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"webApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","West US 2","North Europe","West - Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"virtualRouters","locations":["West US","East + US","North Europe","West Europe","West Central US","South Central US","Australia + East","Australia Central","Australia Southeast","UK South","East US 2","West + US 2","North Central US","Canada Central","France Central","Central US"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '77426' + - '72400' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:04 GMT + - Thu, 06 Feb 2020 00:09:07 GMT expires: - '-1' pragma: @@ -2356,7 +2222,7 @@ interactions: ParameterSetName: - -n -g --resource-type --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -2365,15 +2231,15 @@ interactions: response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {\r\n \"cli-test\": \"test\"\r\n },\r\n \"properties\": {\r\n - \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \ \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n \ ]\r\n },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n \ },\r\n \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\\"\",\r\n + \ \"etag\": \"W/\\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -2388,9 +2254,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:04 GMT + - Thu, 06 Feb 2020 00:09:07 GMT etag: - - W/"3b4c6c0e-8942-4a14-b39f-683d225d5ee4" + - W/"42ab806e-4d4b-42ef-a6c5-034c30a8122a" expires: - '-1' pragma: @@ -2407,16 +2273,16 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - c244ffbe-fe74-485b-b507-d5ce01b0dcca + - 79b9a2b8-97f6-4618-9598-e3499c90558f status: code: 200 message: OK - request: body: 'b''{"location": "southcentralus", "tags": {}, "properties": {"provisioningState": - "Succeeded", "resourceGuid": "232e0ec4-27b4-4400-b5b0-207d2a3124af", "addressSpace": + "Succeeded", "resourceGuid": "0ee29215-e09a-49c3-9413-de29403dfef7", "addressSpace": {"addressPrefixes": ["10.0.0.0/16"]}, "dhcpOptions": {"dnsServers": []}, "subnets": [{"name": "subnet-000003", "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003", - "etag": "W/\\"3b4c6c0e-8942-4a14-b39f-683d225d5ee4\\"", "properties": {"provisioningState": + "etag": "W/\\"42ab806e-4d4b-42ef-a6c5-034c30a8122a\\"", "properties": {"provisioningState": "Succeeded", "addressPrefix": "10.0.0.0/24", "delegations": [], "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled"}, "type": "Microsoft.Network/virtualNetworks/subnets"}], "virtualNetworkPeerings": [], "enableDdosProtection": false, "enableVmProtection": @@ -2437,7 +2303,7 @@ interactions: ParameterSetName: - -n -g --resource-type --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -2446,15 +2312,15 @@ interactions: response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {},\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n \"addressSpace\": + \ \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n ]\r\n \ },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n },\r\n \ \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -2463,7 +2329,7 @@ interactions: false,\r\n \"enableVmProtection\": false\r\n }\r\n}" headers: azure-asyncoperation: - - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/b49f1c5d-35a3-408f-80fc-5a479d2e65a1?api-version=2019-11-01 + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/5ad63697-fce0-43d1-9cea-0e7c47729173?api-version=2019-11-01 cache-control: - no-cache content-length: @@ -2471,7 +2337,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:09 GMT + - Thu, 06 Feb 2020 00:09:08 GMT expires: - '-1' pragma: @@ -2488,7 +2354,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 8d33737b-092e-44d8-b3ba-3afebaaa6bc9 + - 655d33c7-ffa0-400a-99fa-1329e4812500 x-ms-ratelimit-remaining-subscription-writes: - '1194' status: @@ -2508,10 +2374,10 @@ interactions: ParameterSetName: - -n -g --resource-type --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/b49f1c5d-35a3-408f-80fc-5a479d2e65a1?api-version=2019-11-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/5ad63697-fce0-43d1-9cea-0e7c47729173?api-version=2019-11-01 response: body: string: "{\r\n \"status\": \"Succeeded\"\r\n}" @@ -2523,7 +2389,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:41 GMT + - Thu, 06 Feb 2020 00:09:38 GMT expires: - '-1' pragma: @@ -2540,7 +2406,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 30ef78fd-b226-4b5a-b933-ded2d387f191 + - 23cae2c8-43ed-49ef-abda-f6a551feb025 status: code: 200 message: OK @@ -2558,22 +2424,22 @@ interactions: ParameterSetName: - -n -g --resource-type --tags User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002?api-version=2019-11-01 response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {},\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n \"addressSpace\": + \ \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n ]\r\n \ },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n },\r\n \ \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -2588,9 +2454,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:41 GMT + - Thu, 06 Feb 2020 00:09:38 GMT etag: - - W/"589b1070-76f7-4d29-9f7c-9188082184b6" + - W/"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1" expires: - '-1' pragma: @@ -2607,7 +2473,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 1e204608-5319-430f-90a8-bd029aac9855 + - 5a5ce46a-4a6d-4ade-922f-c9c3666e9738 status: code: 200 message: OK @@ -2625,7 +2491,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -2640,7 +2506,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPAddresses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2648,13 +2514,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkInterfaces","locations":["West @@ -2664,7 +2529,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateEndpoints","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2672,7 +2537,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateEndpointRedirectMaps","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2680,7 +2545,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"loadBalancers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2688,7 +2553,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2696,7 +2561,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2704,7 +2569,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"serviceEndpointPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2712,7 +2577,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkIntentPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2720,7 +2585,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","France South","Australia Central","South Africa North","UAE North","Switzerland North","Germany - West Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, + West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"routeTables","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2728,7 +2593,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPPrefixes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2736,13 +2601,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ddosCustomPolicies","locations":["West @@ -2752,7 +2616,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2760,7 +2624,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/connectionMonitors","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2768,7 +2632,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/flowLogs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2776,7 +2640,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/lenses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2784,7 +2648,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/pingMeshes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2792,7 +2656,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"virtualNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2800,7 +2664,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"localNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2808,7 +2672,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"connections","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2816,7 +2680,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2824,13 +2688,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"applicationGatewayWebApplicationFirewallPolicies","locations":["West @@ -2840,7 +2703,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"locations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/CheckDnsNameAvailability","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2848,98 +2711,98 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"dnsOperationResults","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnsOperationStatuses","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"getDnsResourceReference","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"internalNotify","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/A","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/AAAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CNAME","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/PTR","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/MX","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/TXT","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SRV","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SOA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/NS","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/recordsets","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/all","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"privateDnsZones","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsZones/virtualNetworkLinks","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsOperationResults","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsOperationStatuses","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/A","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/AAAA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/CNAME","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/PTR","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/MX","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/TXT","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SRV","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SOA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/all","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"trafficmanagerprofiles","locations":["global"],"apiVersions":["2018-08-01","2018-04-01","2018-03-01","2018-02-01","2017-05-01","2017-03-01","2015-11-01","2015-04-28-preview"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, @@ -2950,7 +2813,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteServiceProviders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableWafRuleSets","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableSslOptions","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableServerVariables","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableRequestHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableResponseHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"routeFilters","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2958,7 +2821,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"bgpServiceCommunities","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"capabilities":"None"},{"resourceType":"virtualWans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -2966,7 +2829,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnSites","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2974,15 +2837,14 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnServerConfigurations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South - Africa North","Switzerland North","Germany West Central","Norway East","Central - US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + Africa North","Switzerland North","Germany West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"virtualHubs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2990,7 +2852,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -2998,7 +2860,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"p2sVpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3006,7 +2868,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","UAE North","South Africa North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3014,39 +2876,20 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"firewallPolicies","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"defaultApiVersion":"2019-06-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ipGroups","locations":["UAE - North","Australia Central 2","UAE Central","Germany North","Central India","Korea - South","Switzerland North","Switzerland West","Japan West","France South","South - Africa West","West India","Canada East","South India","Germany West Central","Norway - East","Norway West","South Africa North","East Asia","Southeast Asia","Korea - Central","Brazil South","Japan East","UK West","West US","East US","North - Europe","West Europe","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","West Central US","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","France Central","Australia Central","Japan West","Japan East","Korea Central","Korea South","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"azureFirewallFqdnTags","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"capabilities":"None"},{"resourceType":"virtualNetworkTaps","locations":["West @@ -3056,7 +2899,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3064,7 +2907,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"ddosProtectionPlans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3072,7 +2915,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"networkProfiles","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3080,70 +2923,58 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"locations/bareMetalTenants","locations":["West + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"webApplicationFirewallPolicies","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","West + US 2","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan + West","Brazil South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/bareMetalTenants","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"virtualRouters","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"natGateways","locations":["Central - US EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"defaultApiVersion":"2018-11-01","zoneMappings":[{"location":"Central - US EUAP","zones":["1","2"]}],"capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","North Europe","West Europe","East - Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-05-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"webApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","West US 2","North Europe","West - Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"virtualRouters","locations":["West US","East + US","North Europe","West Europe","West Central US","South Central US","Australia + East","Australia Central","Australia Southeast","UK South","East US 2","West + US 2","North Central US","Canada Central","France Central","Central US"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '77426' + - '72400' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:42 GMT + - Thu, 06 Feb 2020 00:09:41 GMT expires: - '-1' pragma: @@ -3171,7 +3002,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -3180,15 +3011,15 @@ interactions: response: body: string: "{\r\n \"name\": \"vnet-000002\",\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n \"type\": + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \"type\": \"Microsoft.Network/virtualNetworks\",\r\n \"location\": \"southcentralus\",\r\n \ \"tags\": {},\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"resourceGuid\": \"232e0ec4-27b4-4400-b5b0-207d2a3124af\",\r\n \"addressSpace\": + \ \"resourceGuid\": \"0ee29215-e09a-49c3-9413-de29403dfef7\",\r\n \"addressSpace\": {\r\n \"addressPrefixes\": [\r\n \"10.0.0.0/16\"\r\n ]\r\n \ },\r\n \"dhcpOptions\": {\r\n \"dnsServers\": []\r\n },\r\n \ \"subnets\": [\r\n {\r\n \"name\": \"subnet-000003\",\r\n \ \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_scenario000001/providers/Microsoft.Network/virtualNetworks/vnet-000002/subnets/subnet-000003\",\r\n - \ \"etag\": \"W/\\\"589b1070-76f7-4d29-9f7c-9188082184b6\\\"\",\r\n + \ \"etag\": \"W/\\\"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1\\\"\",\r\n \ \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \ \"addressPrefix\": \"10.0.0.0/24\",\r\n \"delegations\": [],\r\n \"privateEndpointNetworkPolicies\": \"Enabled\",\r\n \"privateLinkServiceNetworkPolicies\": @@ -3203,9 +3034,9 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:43 GMT + - Thu, 06 Feb 2020 00:09:41 GMT etag: - - W/"589b1070-76f7-4d29-9f7c-9188082184b6" + - W/"b0d37dcb-a1c6-44f6-b1a5-99ba924d65e1" expires: - '-1' pragma: @@ -3222,7 +3053,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - d18e134c-abd1-42d0-acd2-fa3496ffb0cd + - 21bfbe33-74db-4500-bc74-a8dac4feeb49 status: code: 200 message: OK @@ -3240,7 +3071,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -3255,7 +3086,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPAddresses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3263,13 +3094,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkInterfaces","locations":["West @@ -3279,7 +3109,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateEndpoints","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3287,7 +3117,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"defaultApiVersion":"2019-02-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateEndpointRedirectMaps","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3295,7 +3125,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"loadBalancers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3303,7 +3133,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3311,7 +3141,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationSecurityGroups","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3319,7 +3149,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2017-09-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"serviceEndpointPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3327,7 +3157,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01"],"defaultApiVersion":"2018-01-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkIntentPolicies","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3335,7 +3165,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","France South","Australia Central","South Africa North","UAE North","Switzerland North","Germany - West Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, + West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"routeTables","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3343,7 +3173,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"publicIPPrefixes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3351,13 +3181,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"defaultApiVersion":"2018-07-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ddosCustomPolicies","locations":["West @@ -3367,7 +3196,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3375,7 +3204,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/connectionMonitors","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3383,7 +3212,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/flowLogs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3391,7 +3220,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/lenses","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3399,7 +3228,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkWatchers/pingMeshes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3407,7 +3236,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"virtualNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3415,7 +3244,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"localNetworkGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3423,7 +3252,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"connections","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3431,7 +3260,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-03-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"applicationGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3439,13 +3268,12 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2018-12-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"applicationGatewayWebApplicationFirewallPolicies","locations":["West @@ -3455,7 +3283,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01"],"defaultApiVersion":"2018-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"locations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/operationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/CheckDnsNameAvailability","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3463,98 +3291,98 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"locations/usages","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2015-06-15"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2017-10-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2017-10-01"}],"capabilities":"None"},{"resourceType":"locations/virtualNetworkAvailableEndpointServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01"],"capabilities":"None"},{"resourceType":"locations/availableDelegations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/serviceTags","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availablePrivateEndpointTypes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01"],"capabilities":"None"},{"resourceType":"locations/availableServiceAliases","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"capabilities":"None"},{"resourceType":"locations/checkPrivateLinkServiceVisibility","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/autoApprovedPrivateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01"],"capabilities":"None"},{"resourceType":"locations/supportedVirtualMachineSizes","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/checkAcceleratedNetworkingSupport","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/validateResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/setResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"locations/effectiveResourceOwnership","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"dnszones","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2016-04-01"},{"profileVersion":"2018-03-01-hybrid","apiVersion":"2016-04-01"},{"profileVersion":"2019-03-01-hybrid","apiVersion":"2016-04-01"}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"dnsOperationResults","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnsOperationStatuses","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"getDnsResourceReference","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"internalNotify","locations":["global"],"apiVersions":["2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/A","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/AAAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CNAME","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/PTR","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/MX","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/TXT","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SRV","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/SOA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/NS","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/CAA","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/recordsets","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"dnszones/all","locations":["global"],"apiVersions":["2018-05-01","2018-03-01-preview","2017-10-01","2017-09-15-preview","2017-09-01","2016-04-01","2015-05-04-preview"],"defaultApiVersion":"2018-05-01","capabilities":"None"},{"resourceType":"privateDnsZones","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsZones/virtualNetworkLinks","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"privateDnsOperationResults","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsOperationStatuses","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/A","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/AAAA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/CNAME","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/PTR","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/MX","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/TXT","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SRV","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/SOA","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"privateDnsZones/all","locations":["global"],"apiVersions":["2018-09-01"],"defaultApiVersion":"2018-09-01","capabilities":"None"},{"resourceType":"trafficmanagerprofiles","locations":["global"],"apiVersions":["2018-08-01","2018-04-01","2018-03-01","2018-02-01","2017-05-01","2017-03-01","2015-11-01","2015-04-28-preview"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, @@ -3565,7 +3393,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteServiceProviders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01","2016-11-01","2016-10-01","2016-09-01","2016-08-01","2016-07-01","2016-06-01","2016-03-30","2015-06-15","2015-05-01-preview","2014-12-01-preview"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableWafRuleSets","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableSslOptions","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableServerVariables","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableRequestHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"applicationGatewayAvailableResponseHeaders","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"capabilities":"None"},{"resourceType":"routeFilters","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3573,7 +3401,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"defaultApiVersion":"2016-12-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"bgpServiceCommunities","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01","2017-08-01","2017-06-01","2017-04-01","2017-03-01","2016-12-01"],"capabilities":"None"},{"resourceType":"virtualWans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3581,7 +3409,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnSites","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3589,15 +3417,14 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-09-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnServerConfigurations","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","South - Africa North","Switzerland North","Germany West Central","Norway East","Central - US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + Africa North","Switzerland North","Germany West Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"virtualHubs","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3605,7 +3432,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"vpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3613,7 +3440,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01","2018-01-01","2017-11-01","2017-10-01","2017-09-01"],"defaultApiVersion":"2017-11-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"p2sVpnGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3621,7 +3448,7 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","UAE North","South Africa North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"expressRouteGateways","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3629,39 +3456,20 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"firewallPolicies","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"defaultApiVersion":"2019-06-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"ipGroups","locations":["UAE - North","Australia Central 2","UAE Central","Germany North","Central India","Korea - South","Switzerland North","Switzerland West","Japan West","France South","South - Africa West","West India","Canada East","South India","Germany West Central","Norway - East","Norway West","South Africa North","East Asia","Southeast Asia","Korea - Central","Brazil South","Japan East","UK West","West US","East US","North - Europe","West Europe","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","West Central US","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"locations/nfvOperations","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"locations/nfvOperationResults","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01"],"capabilities":"None"},{"resourceType":"azureFirewalls","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","France Central","Australia Central","Japan West","Japan East","Korea Central","Korea South","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East - US 2","zones":["2","3","1"]},{"location":"Central US","zones":["2","3","1"]},{"location":"West - Europe","zones":["2","3","1"]},{"location":"East US 2 EUAP","zones":["1","2","3"]},{"location":"Central - US EUAP","zones":["1","2"]},{"location":"France Central","zones":["2","3","1"]},{"location":"Southeast - Asia","zones":["2","3","1"]},{"location":"West US 2","zones":["2","3","1"]},{"location":"North - Europe","zones":["2","3","1"]},{"location":"East US","zones":["2","3","1"]},{"location":"UK - South","zones":["2","3","1"]},{"location":"Japan East","zones":["2","3","1"]},{"location":"Australia + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01"],"defaultApiVersion":"2018-04-01","zoneMappings":[{"location":"East + US 2","zones":["2","1","3"]},{"location":"Central US","zones":["2","1","3"]},{"location":"West + Europe","zones":["2","1","3"]},{"location":"France Central","zones":["2","1","3"]},{"location":"Southeast + Asia","zones":["2","1","3"]},{"location":"West US 2","zones":["2","1","3"]},{"location":"North + Europe","zones":["2","1","3"]},{"location":"East US","zones":["2","1","3"]},{"location":"UK + South","zones":["2","1","3"]},{"location":"Japan East","zones":["2","1","3"]},{"location":"Australia East","zones":[]},{"location":"South Africa North","zones":[]},{"location":"South Central US","zones":[]},{"location":"Canada Central","zones":[]}],"capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"azureFirewallFqdnTags","locations":[],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"capabilities":"None"},{"resourceType":"virtualNetworkTaps","locations":["West @@ -3671,7 +3479,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"privateLinkServices","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3679,7 +3487,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"ddosProtectionPlans","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan @@ -3687,7 +3495,7 @@ interactions: India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01","2018-04-01","2018-03-01","2018-02-01"],"defaultApiVersion":"2018-02-01","apiProfiles":[{"profileVersion":"2017-03-09-profile","apiVersion":"2018-02-01"}],"capabilities":"SupportsTags, SupportsLocation"},{"resourceType":"networkProfiles","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil @@ -3695,70 +3503,58 @@ interactions: India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West Central","Norway - East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01","2018-06-01","2018-05-01"],"defaultApiVersion":"2018-05-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"checkFrontdoorNameAvailability","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","North + Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoorWebApplicationFirewallManagedRuleSets","locations":["global","Central + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"webApplicationFirewallPolicies","locations":["global","Central US","East US","East US 2","North Central US","South Central US","West US","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil - South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01"],"defaultApiVersion":"2019-03-01","capabilities":"None"},{"resourceType":"locations/bareMetalTenants","locations":["West + South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["global","Central + US","East US","East US 2","North Central US","South Central US","West US","West + US 2","North Europe","West Europe","East Asia","Southeast Asia","Japan East","Japan + West","Brazil South","Australia East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"locations/bareMetalTenants","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-07-01"],"capabilities":"None"},{"resourceType":"bastionHosts","locations":["West US","East US","North Europe","West Europe","East Asia","Southeast Asia","North Central US","South Central US","Central US","East US 2","Japan East","Japan West","Brazil South","Australia East","Australia Southeast","Central India","South India","West India","Canada Central","Canada East","West Central US","West US 2","UK West","UK South","Korea Central","Korea South","France Central","Australia Central","South Africa North","UAE North","Switzerland North","Germany West - Central","Norway East","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, - SupportsLocation"},{"resourceType":"virtualRouters","locations":["UAE North","Australia - Central 2","UAE Central","Germany North","Central India","Korea South","Switzerland - North","Switzerland West","Japan West","France South","South Africa West","West - India","Canada East","South India","Germany West Central","Norway East","Norway - West","South Africa North","East Asia","Southeast Asia","Korea Central","Brazil - South","Japan East","UK West","West US","East US","North Europe","West Europe","West - Central US","South Central US","Australia East","Australia Central","Australia - Southeast","UK South","East US 2","West US 2","North Central US","Canada Central","France - Central","Central US","Central US EUAP","East US 2 EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"natGateways","locations":["Central - US EUAP"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01"],"defaultApiVersion":"2018-11-01","zoneMappings":[{"location":"Central - US EUAP","zones":["1","2"]}],"capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorOperationResults","locations":["global"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-05-01","capabilities":"None"},{"resourceType":"frontdoors","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","North Europe","West Europe","East - Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-05-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01","2018-08-01","2018-05-01"],"defaultApiVersion":"2019-05-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"frontdoorWebApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-10-01","2019-09-01","2019-08-01","2019-03-01","2018-08-01"],"defaultApiVersion":"2019-03-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"webApplicationFirewallPolicies","locations":["East - US 2 EUAP","global","Central US","East US","East US 2","North Central US","South - Central US","West US","North Europe","West Europe","East Asia","Southeast - Asia","Japan East","Japan West","Brazil South","Australia East","Australia - Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2018-08-01"],"defaultApiVersion":"2018-08-01","capabilities":"CrossResourceGroupResourceMove, - CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"},{"resourceType":"networkExperimentProfiles","locations":["Central - US EUAP","East US 2 EUAP","global","Central US","East US","East US 2","North - Central US","South Central US","West US","West US 2","North Europe","West - Europe","East Asia","Southeast Asia","Japan East","Japan West","Brazil South","Australia - East","Australia Southeast"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01"],"defaultApiVersion":"2019-11-01","capabilities":"CrossResourceGroupResourceMove, + Central","Norway East"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01","2019-06-01","2019-04-01","2019-02-01","2018-12-01","2018-11-01","2018-10-01"],"defaultApiVersion":"2018-10-01","capabilities":"SupportsTags, + SupportsLocation"},{"resourceType":"virtualRouters","locations":["West US","East + US","North Europe","West Europe","West Central US","South Central US","Australia + East","Australia Central","Australia Southeast","UK South","East US 2","West + US 2","North Central US","Canada Central","France Central","Central US"],"apiVersions":["2019-11-01","2019-09-01","2019-08-01","2019-07-01"],"defaultApiVersion":"2019-07-01","capabilities":"CrossResourceGroupResourceMove, CrossSubscriptionResourceMove, SupportsTags, SupportsLocation"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}' headers: cache-control: - no-cache content-length: - - '77426' + - '72400' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:44 GMT + - Thu, 06 Feb 2020 00:09:41 GMT expires: - '-1' pragma: @@ -3788,7 +3584,7 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -3799,17 +3595,17 @@ interactions: string: '' headers: azure-asyncoperation: - - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/3a622d93-748a-4d95-b4c4-3f8332aa172a?api-version=2019-11-01 + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/f3965bf0-c603-446b-8535-f2b301e458a9?api-version=2019-11-01 cache-control: - no-cache content-length: - '0' date: - - Fri, 07 Feb 2020 16:41:45 GMT + - Thu, 06 Feb 2020 00:09:41 GMT expires: - '-1' location: - - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operationResults/3a622d93-748a-4d95-b4c4-3f8332aa172a?api-version=2019-11-01 + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operationResults/f3965bf0-c603-446b-8535-f2b301e458a9?api-version=2019-11-01 pragma: - no-cache server: @@ -3820,9 +3616,9 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 40d3865d-6b79-40a2-bf09-fa60f6c1b4c0 + - e6cc19c2-03e5-4291-b5bf-aa0478b62714 x-ms-ratelimit-remaining-subscription-deletes: - - '14997' + - '14999' status: code: 202 message: Accepted @@ -3840,10 +3636,10 @@ interactions: ParameterSetName: - -n -g --resource-type User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/3a622d93-748a-4d95-b4c4-3f8332aa172a?api-version=2019-11-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/southcentralus/operations/f3965bf0-c603-446b-8535-f2b301e458a9?api-version=2019-11-01 response: body: string: "{\r\n \"status\": \"Succeeded\"\r\n}" @@ -3855,7 +3651,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:41:57 GMT + - Thu, 06 Feb 2020 00:09:52 GMT expires: - '-1' pragma: @@ -3872,7 +3668,7 @@ interactions: x-content-type-options: - nosniff x-ms-arm-service-request-id: - - 61e29d8f-2cff-4fd9-a33e-49603437b9ff + - 948b5caf-1743-4ecb-b1a0-e236d0bd3157 status: code: 200 message: OK @@ -3888,7 +3684,7 @@ interactions: Connection: - keep-alive User-Agent: - - python/3.6.8 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US @@ -3896,28 +3692,16 @@ interactions: uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resources?$filter=&api-version=2019-07-01 response: body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","name":"azureclitestlinux_OsDisk_1_163e7617b87e452daab7e1ac87ce3e61","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/disks/azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","name":"azureclitestwin_OsDisk_1_4dbb794e0224484a8bb609e248c1fd28","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestlinux","name":"azureclitestlinux","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestlinux/extensions/OmsAgentForLinux","name":"azureclitestlinux/OmsAgentForLinux","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Compute/virtualMachines/azureclitestwin","name":"azureclitestwin","type":"Microsoft.Compute/virtualMachines","location":"eastus","identity":{"principalId":"2df74268-9c56-4884-80ef-2f69781eb458","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AZURE-CLI-TEST-RG/providers/Microsoft.Compute/virtualMachines/azureclitestwin/extensions/MicrosoftMonitoringAgent","name":"azureclitestwin/MicrosoftMonitoringAgent","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.KeyVault/vaults/azureclitest-vault","name":"azureclitest-vault","type":"Microsoft.KeyVault/vaults","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/bastionHosts/azure-cli-test-bastion","name":"azure-cli-test-bastion","type":"Microsoft.Network/bastionHosts","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestlinux487","name":"azureclitestlinux487","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkInterfaces/azureclitestwin173","name":"azureclitestwin173","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestlinux-nsg","name":"azureclitestlinux-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/networkSecurityGroups/azureclitestwin-nsg","name":"azureclitestwin-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io","name":"privatelink.azurecr.io","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/publicIPAddresses/azure-cli-test-public-ip","name":"azure-cli-test-public-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Network/virtualNetworks/azure-cli-test-vnet","name":"azure-cli-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag","name":"azureclitestrgdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-cli-test-rg/providers/Microsoft.Storage/storageAccounts/azureclitestrgdiag180","name":"azureclitestrgdiag180","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/azure-core-poc/providers/Microsoft.Storage/storageAccounts/azurecorepoc","name":"azurecorepoc","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/AzureSDKTest_ScheduledCleaner","name":"AzureSDKTest_ScheduledCleaner","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Logic/workflows/TestLogicApp","name":"TestLogicApp","type":"Microsoft.Logic/workflows","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/arm","name":"arm","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azureautomation","name":"azureautomation","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureSDKTest_reserved/providers/Microsoft.Web/connections/azuremonitorlogs","name":"azuremonitorlogs","type":"Microsoft.Web/connections","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv5","name":"bim-kv5","type":"Microsoft.KeyVault/vaults","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.KeyVault/vaults/bim-kv8","name":"bim-kv8","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/networkInterfaces/bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","name":"bim-pe.nic.0af2074b-66ab-439b-9800-d831a66d111a","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net","name":"privatelink.vaultcore.azure.net","type":"Microsoft.Network/privateDnsZones","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/s6s556pxon6mw","name":"privatelink.vaultcore.azure.net/s6s556pxon6mw","type":"Microsoft.Network/privateDnsZones/virtualNetworkLinks","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/privateEndpoints/bim-pe","name":"bim-pe","type":"Microsoft.Network/privateEndpoints","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet","name":"bim-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/bim-rg/providers/Microsoft.Network/virtualNetworks/bim-vnet1","name":"bim-vnet1","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01","name":"cli-acc-lefr-01","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.NetApp/netAppAccounts/cli-acc-lefr-01/capacityPools/cli-pool-lefr-01/volumes/cli-volume-lefr-01","name":"cli-acc-lefr-01/cli-pool-lefr-01/cli-volume-lefr-01","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-01-nic-9TLIIO","name":"anf-cli-vnet-lefr-01-nic-9TLIIO","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_mounttarget_tf7rwbbmlbwztfvh7a6mb5mq3jj7rflbomtdrra5gs/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-01","name":"cli-vnet-lefr-01","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb","name":"cli-acc-4g47wcbjhikbiryb","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_6b4onzey63niwskdjl5sq4pima2mr4cjn2g6g73ta7ifh/providers/Microsoft.NetApp/netAppAccounts/cli-acc-4g47wcbjhikbiryb/capacityPools/cli-pool-rarzmnkwtqzglj4","name":"cli-acc-4g47wcbjhikbiryb/cli-pool-rarzmnkwtqzglj4","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt","name":"cli-acc-s3ddxv7rcas6tlqt","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal/snapshots/cli-sn-xuosclazscz7mdnfm","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal/cli-sn-xuosclazscz7mdnfm","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.NetApp/netAppAccounts/cli-acc-s3ddxv7rcas6tlqt/capacityPools/cli-pool-ue3oz2q7rig2lsr/volumes/cli-vol-b72oqslfw6y6ywal/snapshots/cli-sn-mst3vgtwwwlwvoxo2","name":"cli-acc-s3ddxv7rcas6tlqt/cli-pool-ue3oz2q7rig2lsr/cli-vol-b72oqslfw6y6ywal/cli-sn-mst3vgtwwwlwvoxo2","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-lefr-02-nic-D0E288","name":"anf-cli-vnet-lefr-02-nic-D0E288","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_itcxt7ld3wikfrgni2ll2lq253ghvjkdrt2uihwhkkh6m/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5","name":"cli-acc-ntb2ma3l4cks2oe5","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.NetApp/netAppAccounts/cli-acc-ntb2ma3l4cks2oe5/capacityPools/cli-pool-ibclpqmabcxes6j/volumes/cli-vol-gpl6m25se32t2drr","name":"cli-acc-ntb2ma3l4cks2oe5/cli-pool-ibclpqmabcxes6j/cli-vol-gpl6m25se32t2drr","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_snapshot_onp7eoh5sieipmfvk4y6ofb55ymjdgfrsxfm3eq7gth3z/providers/Microsoft.Network/virtualNetworks/cli-vnet-lefr-02","name":"cli-vnet-lefr-02","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs","name":"cli-acc-w5jx6si6ji55voxs","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.NetApp/netAppAccounts/cli-acc-w5jx6si6ji55voxs/capacityPools/cli-pool-xddcqyn52q3o3op/volumes/cli-vol-53mm6v7tzhtt5ci2","name":"cli-acc-w5jx6si6ji55voxs/cli-pool-xddcqyn52q3o3op/cli-vol-53mm6v7tzhtt5ci2","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","name":"anf-cli-vnet-mycjrnigtyehfpg-nic-9HKVH2","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_r2meyizebutqxplsnijejoz4phoh2kumawhy73tqkio2rts/providers/Microsoft.Network/virtualNetworks/cli-vnet-mycjrnigtyehfpg","name":"cli-vnet-mycjrnigtyehfpg","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b","name":"cli-acc-nristrl3sasxf32b","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2","type":"Microsoft.NetApp/netAppAccounts/capacityPools","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.NetApp/netAppAccounts/cli-acc-nristrl3sasxf32b/capacityPools/cli-pool-idqipl4ysi4o4v2/volumes/cli-vol-obj3h4t6irkmsznu","name":"cli-acc-nristrl3sasxf32b/cli-pool-idqipl4ysi4o4v2/cli-vol-obj3h4t6irkmsznu","type":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/networkInterfaces/anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","name":"anf-cli-vnet-k2bku3zrpd6otc3-nic-VD6TTK","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xi4g7tg3avlhprugupbon456a3p7wabsdfywpdnc3gnpbbo/providers/Microsoft.Network/virtualNetworks/cli-vnet-k2bku3zrpd6otc3","name":"cli-vnet-k2bku3zrpd6otc3","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.NetApp/netAppAccounts/cli-acc-xmmfui5pvv4toht4","name":"cli-acc-xmmfui5pvv4toht4","type":"Microsoft.NetApp/netAppAccounts","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_netappfiles_test_volume_xigavxbqrxitlsur76sagfqlygwbhrphr5fwnmmlf36zoha/providers/Microsoft.Network/virtualNetworks/cli-vnet-p72pwguegdqr24o","name":"cli-vnet-p72pwguegdqr24o","type":"Microsoft.Network/virtualNetworks","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/publicIPAddresses/gwip1","name":"gwip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westus","tags":{"foo":"boo"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_active_active_cross_premise_connectionbv75lbbywhchj3ncymgciqalzcks/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_basichde6z7i6uitoprhnxhc2tcczb53v6lmwmio6622bi5r4mxh63ajmi2pt3o/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_frontend_ip_public5ai45fzxsaynqianqu4p2bxn5hnfyqeucp3lvd3hockxh/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_http_settingsdt4567buy5ceiha6k7t6tlhv3f5bbhdopzvwoytluy3dxkt7h6/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_private_ipwigllraqvruqp5jbpfefwlp7vsnoxsw424ypvgq65n5v3jjl2thxd/providers/Microsoft.Network/virtualNetworks/ag3Vnet","name":"ag3Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_rewrite_rulesetsspxcd2324qug32ddptcmrvea65undfsvelq2ep5g2ise4u5/providers/Microsoft.Network/virtualNetworks/gw1Vnet","name":"gw1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/publicIPAddresses/myip1","name":"myip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_ag_root_cert6lpac4um5l5ownpkk3fvccjfuiplyk3tvjygnu2phhojv6beqxja7d/providers/Microsoft.Network/virtualNetworks/ag1Vnet","name":"ag1Vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_rules_with_ipgroupse4upfibqoujmdn4odvtgrbuvqqgdvwd7/providers/Microsoft.Network/ipGroups/destinationipgroup","name":"destinationipgroup","type":"Microsoft.Network/ipGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hub3y2sewu5wiq663lejsu6xqzkus2sy2p73u7enfh6/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/azureFirewalls/af1","name":"af1","type":"Microsoft.Network/azureFirewalls","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualHubs/clitestvhub","name":"clitestvhub","type":"Microsoft.Network/virtualHubs","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_virtual_hubfloqub262uzeie6vrsunagnpfmspqyjolnmh5jqx/providers/Microsoft.Network/virtualWans/clitestvwan","name":"clitestvwan","type":"Microsoft.Network/virtualWans","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_cannotdelete_resource_lockp2vpt5v2he5l5lpljydc66rxibmhoup3larmvhfp/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc2nxt66ls36dcstgfd","name":"cli.lock.rsrc2nxt66ls36dcstgfd","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_deploymentr4tqa5sy6pczhpttz26pggldipow2h2u2jdfwbu2b4vdl4wamvwlpzyd/providers/Microsoft.Network/loadBalancers/test-lb","name":"test-lb","type":"Microsoft.Network/loadBalancers","location":"westus","tags":{"key":"super=value"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_deploymentr4tqa5sy6pczhpttz26pggldipow2h2u2jdfwbu2b4vdl4wamvwlpzyd/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclinlgstl3ndjbx","name":"eh-nsclinlgstl3ndjbx","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasdrj6y3jjzz2b5gjynzeg3hlvh4vbevx6axtox4ijutmqpe3uhr2f6zjcvp/providers/Microsoft.EventHub/namespaces/eh-nsclipqjpqzaomo64","name":"eh-nsclipqjpqzaomo64","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclicrivl23n25yr","name":"eh-nsclicrivl23n25yr","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasfaxwrtp645isrxreqi6kj6gtvb4j3lh23klbxtfz7d67cc276s43xrosgp/providers/Microsoft.EventHub/namespaces/eh-nsclig5topw26qop5","name":"eh-nsclig5topw26qop5","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscli475lksshlq57","name":"eh-nscli475lksshlq57","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_eh_aliasr6icm7ctnbnlupvodhdxfvgm7ukjbnbzw3w6543qcf232tden7ulag356e/providers/Microsoft.EventHub/namespaces/eh-nscliu2aq4ygqmjba","name":"eh-nscliu2aq4ygqmjba","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_global_ids6hydd6l6wowg7uc74at5mclzi4mivhdvhkz6ztbn56alcrwdltax62o3/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_keyvault_pev5vwohwc5dirit6qvqyfeegxyzgtbpue3d4a4xukv4utxpa4fi66itm/providers/Microsoft.Network/virtualNetworks/cli-vnet-blvqpkews4d4q7d","name":"cli-vnet-blvqpkews4d4q7d","type":"Microsoft.Network/virtualNetworks","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_commands_with_idsc55ctm7bpevokevkktalaoyz2p5l4dzgkpg4qzkqms2f/providers/Microsoft.Network/virtualNetworks/cli-lock-vnet2nc4zyqpfujk7cwff","name":"cli-lock-vnet2nc4zyqpfujk7cwff","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_lock_with_resource_id5qpr54vb6ehq2jvhrqrykzbtsecocigfrjpb7lm5khjow/providers/Microsoft.Network/virtualNetworks/cli-lock-vnetxqf2q7rcoora3rqmh","name":"cli-lock-vnetxqf2q7rcoora3rqmh","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_mixed_realitygv2l3elh76a7brm66drgektfyzfsijxog6smmqzg6dnn2r7ofuf6c/providers/Microsoft.MixedReality/spatialAnchorsAccounts/MyAccount","name":"MyAccount","type":"Microsoft.MixedReality/spatialAnchorsAccounts","location":"eastus2euap","identity":{"type":"None"},"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingh4x6c65cehejrlop6olq76mtllvitiu2u4vqug2cmv7sx6dn/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/publicIPAddresses/vgw1-pip","name":"vgw1-pip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworkGateways/vgw1","name":"vgw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_nw_troubleshootingnzfabynwoumr6mikzh7taiqzgts7oo3mm7rrcu34zritqyqu/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_policyamsvlbqdi3kri65je2bybsbrozwdrwka2tquy37c6oi4wr3h46xdrlulzscy/providers/Microsoft.Network/virtualNetworks/azurecli-test-policy-vnet2lckw4pen2evjmf","name":"azurecli-test-policy-vnet2lckw4pen2evjmf","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_readonly_resource_lock6bfvuem2zkfzr3cnurim3clv7gdf22d3ysjlfgmz52vf/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrcntcafojd6yojogsr7","name":"cli.lock.rsrcntcafojd6yojogsr7","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_id34isokctjnpwlh4b43aen7orkzdhyop6p3vc7ppqypp4p5ooz2huzak/providers/Microsoft.Network/virtualNetworks/cli_test_resource_id_vnet","name":"cli_test_resource_id_vnet","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{"tag-vnet":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_link_scenariokdv5vstd4cieqqpv4oqwhgdj3dw5fsz4wgdczdaieng5/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_lockkbg3wd23f2pez5mppjtcg37ikc7fxaylmn2mu2va7u4e7ouulk5ar/providers/Microsoft.Network/virtualNetworks/cli.lock.rsrc3tk6yei5iyvhkrqlm","name":"cli.lock.rsrc3tk6yei5iyvhkrqlm","type":"Microsoft.Network/virtualNetworks","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_move_sourcep7o2rkz4lidanspz4kivddnkxwjnc6od2zlguy62jed75y/providers/Microsoft.Network/networkSecurityGroups/nsg-movejijgvkpwdr3s","name":"nsg-movejijgvkpwdr3s","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_move_sourcep7o2rkz4lidanspz4kivddnkxwjnc6od2zlguy62jed75y/providers/Microsoft.Network/networkSecurityGroups/nsg-movelbq4l7jgpyhx","name":"nsg-movelbq4l7jgpyhx","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliaqfra2n2au2q","name":"sb-nscliaqfra2n2au2q","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliasjvmz65dvg7inej34lr2j6ymns5ewjlrnrp4z6ylhegesgpf6io57pmksme/providers/Microsoft.ServiceBus/namespaces/sb-nscliqhxbpvrow6v6","name":"sb-nscliqhxbpvrow6v6","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag2: - value2,":"","tag1: value1}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nsclirfgvnl4guyma","name":"sb-nsclirfgvnl4guyma","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"northcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sb_aliaszm3yvalycherhh6usqybb4tp3eqbckvxbdrujxlfo2b2kgt74tb645a4r5/providers/Microsoft.ServiceBus/namespaces/sb-nscliucbt7pri3etf","name":"sb-nscliucbt7pri3etf","type":"Microsoft.ServiceBus/namespaces","sku":{"name":"Premium","tier":"Premium","capacity":1},"location":"southcentralus","tags":{"{tag1: - value1,":"","tag2: value2}":""}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router4jftwvqg7c4qf5cl3equryyrich6sye6mu3ab27focv2xez3nrvf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router6ah44hkwaiunishzfuakmk5j5tyguwqurycesvryomjcsmjcc3p3/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router73dbgjwlekowfnjih5ovae4bmu67izrdit2jebvknbqfgtvi3fne/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_router7cibbvfjttlgg6zw3z5yxqbgc3lzjyfzoowpvfct7grmsrch5xtx/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerdr74a62ccu2ctpd6p56d4jrg6u4nxcmdjb4w445u4llvpmhbq2wi/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routeri2y6ofthh2s7lli2hn6duuoskl7f4zt73faffn6oi6wlioswhbhp/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/publicIPAddresses/pip1","name":"pip1","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworkGateways/gw1","name":"gw1","type":"Microsoft.Network/virtualNetworkGateways","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerltoxcrbiadgi7ws3p256tx27rkrdz5nh2douoxwi72v6zbc22rl2/providers/Microsoft.Network/virtualNetworks/vnet1","name":"vnet1","type":"Microsoft.Network/virtualNetworks","location":"westcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerrwfem26esani3ontudyvh6glkoyc5xncjnzxg5j6z4mfiphsuh5e/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routert4sl4vlahkzkcf66gopghh6emixxvcxilh5ztirviuxg6lqoyoc4/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routervbaalksbo2ix37kt34tq3p5y7g4ywwh2mr2qqgxwio6ii2xm5qhb/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerw43o33exwyp6rxe6dh6qnw4o2rwsxabnftuzapcb2hvajghh33de/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerwiw43ukelamlqitzkvo2kkirlniy6nhcrydg3qtwapx6koz7hfgf/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routerxcouawbpkduxdg5xbsn3casuh7q3cvf2unu367kruseazch4w3di/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_virtual_routery7hke7smvznjb6jyeiiyo6vmcswslr34p2anmj2c3zs25osa4ec7/providers/Microsoft.Network/virtualRouters/vrouter1","name":"vrouter1","type":"Microsoft.Network/virtualRouters","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/loadBalancers/vmss123LB","name":"vmss123LB","type":"Microsoft.Network/loadBalancers","sku":{"name":"Standard"},"location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/networkSecurityGroups/vmss123NSG","name":"vmss123NSG","type":"Microsoft.Network/networkSecurityGroups","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/publicIPAddresses/vmss123LBPublicIP","name":"vmss123LBPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Standard"},"location":"eastus2","zones":["2"],"tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vmss_zones6foe6naynypj75lfecrrgrwwjofoiiqrexzgtmvhncswotqfbtvxoypm/providers/Microsoft.Network/virtualNetworks/vmss123VNET","name":"vmss123VNET","type":"Microsoft.Network/virtualNetworks","location":"eastus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg2qgvxjxy46scnjuh6q5gtypebpi5oeuajfgxb7yrrsggnqxrij6pnc3d7ybz2chih/providers/Microsoft.RecoveryServices/vaults/clitest-vaultcriakztggjr","name":"clitest-vaultcriakztggjr","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg35pihforqftkb5qllg3t75zoxlztjwsmuftgdsphbiy2r3adx3t3spnkzzs2c5c4s/providers/Microsoft.RecoveryServices/vaults/clitest-vaultonvx2gbjtjz","name":"clitest-vaultonvx2gbjtjz","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg3s3h2izedr4olwdk4jqjhltn4lkukfixgfalhtfjmiy6u3xndqvdkrr4j4jqhx6hu/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjs23w5bobvn","name":"clitest-vaultjs23w5bobvn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.RecoveryServices/vaults/clitest-vault37l77wc5c65","name":"clitest-vault37l77wc5c65","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6i4hl6iakg/providers/Microsoft.Storage/storageAccounts/clitestu3p7a7ib4n4y7gt4m","name":"clitestu3p7a7ib4n4y7gt4m","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg6mxjzuorkskzxoisjj4q7leopfu5mge2nncxfuw33pn7w5rzgt6nqhx3f2koq427p/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqcbszkdhprt","name":"clitest-vaultqcbszkdhprt","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgduxuhyeqzrek7s3jfr776qvugv4qtmrxnlqcwiodxu2wihvqvuajr5bvtbfw2c74d/providers/Microsoft.RecoveryServices/vaults/clitest-vaultvgik7njuazq","name":"clitest-vaultvgik7njuazq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgdzk3w2kpwtbjaippkz6nrab53pinz3nbdcoxurf2fm477d5j2qa43kpmvlh34nudn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultijxt4x4hr4n","name":"clitest-vaultijxt4x4hr4n","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgeklv32akhatp5eikltrbwu3nv7knshqr3ftxpzao7mqusloghl7zsduclggbkqpyg/providers/Microsoft.ContainerRegistry/registries/clireghnxtzih6elkkp7","name":"clireghnxtzih6elkkp7","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Standard","tier":"Standard"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgib3viqdhrawwnaopavpcsc2u3psfod7wlami5tg57borlex2io2b7nolpz4qxhm5p/providers/Microsoft.RecoveryServices/vaults/clitest-vaulte5qqz3zjihv","name":"clitest-vaulte5qqz3zjihv","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgljk7owl4ldwt37zws4grwrer6zjnyeqczgvqzr4vcrrhju7sv5a2sc567rezz2q7b/providers/Microsoft.ContainerRegistry/registries/cliregcn7lqgzmomxrit","name":"cliregcn7lqgzmomxrit","type":"Microsoft.ContainerRegistry/registries","sku":{"name":"Premium","tier":"Premium"},"location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgmjjmywipmiqslgzl7tzax3aje4fcv3q5xr2h7hulg63ehpwno2mu7ij7dokxqbh5x/providers/Microsoft.RecoveryServices/vaults/clitest-vaultqofbmffwsre","name":"clitest-vaultqofbmffwsre","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgp535jz2dxemblsqlvzwsk4ehth7eprd5yny22fi5rppnick62nncsonvlutvmvbje/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsqo77eexzn","name":"clitest-vaulttsqo77eexzn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgr5sog7j3q3a5o2vy3r4gpl3ylcovxfcbkttkotqe653iz4mlsrbjns76tv4v4lbqq/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfe6e244jgwn","name":"clitest-vaultfe6e244jgwn","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rguk5hr7imq2zbvjzaogkt7gke2onbbn6sr3ux5rfdiqufofpfrmblbmbzrtd663lkn/providers/Microsoft.RecoveryServices/vaults/clitest-vaultfiskwqfysgb","name":"clitest-vaultfiskwqfysgb","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgyreu2qkpgqyrm56i4cocrrcf5xb2uzmvlm2lau226cqk6zetyu5olii7figpx2mix/providers/Microsoft.RecoveryServices/vaults/clitest-vaulttsindhzqq4y","name":"clitest-vaulttsindhzqq4y","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rgzj3xc6lmggzuorcimokxvkq7lrrxtcty3dilmrxzwdjcq35dqahmc7e7snha4milh/providers/Microsoft.RecoveryServices/vaults/clitest-vaultjlixfyp46tq","name":"clitest-vaultjlixfyp46tq","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"Standard"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cloud-shell-storage-westus/providers/Microsoft.Storage/storageAccounts/cs40b1f64711bf0x4ddaxaec","name":"cs40b1f64711bf0x4ddaxaec","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cls_test_adls_fileagud65zszgmmhrjitvc3xrvbjqgzo6e2k6hz6q32xaahz3liu6bllegbz/providers/Microsoft.DataLakeStore/accounts/cliadls7i4c6a3r2irkh5ezr","name":"cliadls7i4c6a3r2irkh5ezr","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/CliGtTestVnet6623","name":"CliGtTestVnet6623","type":"Microsoft.ClassicNetwork/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/networkInterfaces/sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","name":"sdfsdfsdf.nic.483f3d12-3ba8-4789-92dd-b7ed9c4d43db","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/privateLinkServices/sdfsdfsdf","name":"sdfsdfsdf","type":"Microsoft.Network/privateLinkServices","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fanqiu-test/providers/Microsoft.Network/virtualNetworks/vnettest","name":"vnettest","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.alertsmanagement/smartDetectorAlertRules/Failure - Anomalies - fengwsinsightsf6615a96b9","name":"Failure Anomalies - fengwsinsightsf6615a96b9","type":"microsoft.alertsmanagement/smartDetectorAlertRules","location":"global","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/actiongroups/Application - Insights Smart Detection","name":"Application Insights Smart Detection","type":"microsoft.insights/actiongroups","location":"global"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/microsoft.insights/components/fengwsinsightsf6615a96b9","name":"fengwsinsightsf6615a96b9","type":"microsoft.insights/components","kind":"web","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.KeyVault/vaults/fengwskeyvault7b56d2ee87","name":"fengwskeyvault7b56d2ee87","type":"Microsoft.KeyVault/vaults","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.MachineLearningServices/workspaces/feng-ws","name":"feng-ws","type":"Microsoft.MachineLearningServices/workspaces","sku":{"name":"Basic","tier":"Basic"},"location":"westus2","identity":{"principalId":"e08a42f0-29de-46db-a246-9e14da9a92eb","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/feng-test-space","name":"feng-test-space","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2","name":"my-test-space-2","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-1","name":"my-test-space-2/my-hub-1","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-2/notificationHubs/my-hub-2","name":"my-test-space-2/my-hub-2","type":"Microsoft.NotificationHubs/namespaces/notificationHubs","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.NotificationHubs/namespaces/my-test-space-3","name":"my-test-space-3","type":"Microsoft.NotificationHubs/namespaces","sku":{"name":"Free"},"kind":"NotificationHub","location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengsa","name":"fengsa","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/feng-cli-rg/providers/Microsoft.Storage/storageAccounts/fengwsstorage28dfde17cb1","name":"fengwsstorage28dfde17cb1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/diskEncryptionSets/des1","name":"des1","type":"Microsoft.Compute/diskEncryptionSets","location":"centraluseuap","identity":{"principalId":"972fc458-2d2c-4db5-936b-2d7064770777","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/disks/disk1","name":"disk1","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/FYTEST/providers/Microsoft.Compute/disks/vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","name":"vm_OsDisk_1_4aeb566c88144b749a05cb99eaa7f155","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/snapshots/s1","name":"s1","type":"Microsoft.Compute/snapshots","sku":{"name":"Standard_LRS","tier":"Standard"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Compute/virtualMachines/vm","name":"vm","type":"Microsoft.Compute/virtualMachines","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.KeyVault/vaults/vault4848","name":"vault4848","type":"Microsoft.KeyVault/vaults","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkInterfaces/vmVMNic","name":"vmVMNic","type":"Microsoft.Network/networkInterfaces","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/networkSecurityGroups/vmNSG","name":"vmNSG","type":"Microsoft.Network/networkSecurityGroups","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/publicIPAddresses/vmPublicIP","name":"vmPublicIP","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fytest/providers/Microsoft.Network/virtualNetworks/vmVNET","name":"vmVNET","type":"Microsoft.Network/virtualNetworks","location":"centraluseuap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","name":"harold-cm-vm-01_OsDisk_1_54269f294c6f4b5e9bfc489d03e7c506","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","name":"harold-cm-vm-02_OsDisk_1_7a882c39308e4c04a67272c2cb487561","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","name":"harold-cm-vm-03_OsDisk_1_a37225934a7047ff863836d1f611371e","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","name":"harold-cm-vm-04_OsDisk_1_e3b2a42189bf4ffd91c769b074d63537","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/HAROLD-TEST/providers/Microsoft.Compute/disks/harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","name":"harold-cm-vm-05_disk1_f355d08e0fda42aab8e3f3a051b2dcd3","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01","name":"harold-cm-vm-01","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-01/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-01/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02","name":"harold-cm-vm-02","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-02/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-02/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03","name":"harold-cm-vm-03","type":"Microsoft.Compute/virtualMachines","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-03/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-03/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04","name":"harold-cm-vm-04","type":"Microsoft.Compute/virtualMachines","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-04/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-04/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05","name":"harold-cm-vm-05","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Compute/virtualMachines/harold-cm-vm-05/extensions/AzureNetworkWatcherExtension","name":"harold-cm-vm-05/AzureNetworkWatcherExtension","type":"Microsoft.Compute/virtualMachines/extensions","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-01235","name":"harold-cm-vm-01235","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0243","name":"harold-cm-vm-0243","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-03344","name":"harold-cm-vm-03344","type":"Microsoft.Network/networkInterfaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-0489","name":"harold-cm-vm-0489","type":"Microsoft.Network/networkInterfaces","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkInterfaces/harold-cm-vm-05892","name":"harold-cm-vm-05892","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-01-nsg","name":"harold-cm-vm-01-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-02-nsg","name":"harold-cm-vm-02-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-03-nsg","name":"harold-cm-vm-03-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-04-nsg","name":"harold-cm-vm-04-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/networkSecurityGroups/harold-cm-vm-05-nsg","name":"harold-cm-vm-05-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-01-ip","name":"harold-cm-vm-01-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-02-ip","name":"harold-cm-vm-02-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-03-ip","name":"harold-cm-vm-03-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-04-ip","name":"harold-cm-vm-04-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/publicIPAddresses/harold-cm-vm-05-ip","name":"harold-cm-vm-05-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/harold-test-vnet","name":"harold-test-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet745","name":"haroldtestvnet745","type":"Microsoft.Network/virtualNetworks","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Network/virtualNetworks/haroldtestvnet914","name":"haroldtestvnet914","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.OperationalInsights/workspaces/harold-log-analysis","name":"harold-log-analysis","type":"Microsoft.OperationalInsights/workspaces","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag","name":"haroldtestdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag482","name":"haroldtestdiag482","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/harold-test/providers/Microsoft.Storage/storageAccounts/haroldtestdiag596","name":"haroldtestdiag596","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/javacsmrg46947/providers/Microsoft.EventHub/namespaces/ns1305011933","name":"ns1305011933","type":"Microsoft.EventHub/namespaces","sku":{"name":"Standard","tier":"Standard","capacity":1},"location":"southcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.KeyVault/vaults/jlkv0130","name":"jlkv0130","type":"Microsoft.KeyVault/vaults","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlrg1/providers/Microsoft.Storage/storageAccounts/jlcsst","name":"jlcsst","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{"ms-resource-usage":"azure-cloud-shell"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/JLVM2RG/providers/Microsoft.Compute/disks/jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","name":"jlvm2_OsDisk_1_19a136be0ab846fa920a55d173ff3d2a","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Compute/virtualMachines/jlvm2","name":"jlvm2","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkInterfaces/jlvm2980","name":"jlvm2980","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/networkSecurityGroups/jlvm2-nsg","name":"jlvm2-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/publicIPAddresses/jlvm2-ip","name":"jlvm2-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/jlvm2rg/providers/Microsoft.Network/virtualNetworks/jlvm2rg-vnet","name":"jlvm2rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_canadaeast","name":"NetworkWatcher_canadaeast","type":"Microsoft.Network/networkWatchers","location":"canadaeast"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centralus","name":"NetworkWatcher_centralus","type":"Microsoft.Network/networkWatchers","location":"centralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_centraluseuap","name":"NetworkWatcher_centraluseuap","type":"Microsoft.Network/networkWatchers","location":"centraluseuap"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastasia","name":"NetworkWatcher_eastasia","type":"Microsoft.Network/networkWatchers","location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2","name":"NetworkWatcher_eastus2","type":"Microsoft.Network/networkWatchers","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southeastasia","name":"NetworkWatcher_southeastasia","type":"Microsoft.Network/networkWatchers","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus","name":"NetworkWatcher_westcentralus","type":"Microsoft.Network/networkWatchers","location":"westcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus","name":"NetworkWatcher_westus","type":"Microsoft.Network/networkWatchers","location":"westus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/serverFarms/bookstore-westus2","name":"bookstore-westus2","type":"Microsoft.Web/serverFarms","sku":{"name":"P1v2","tier":"PremiumV2","size":"P1v2","family":"Pv2","capacity":1},"kind":"linux","location":"westus2","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/new-experiences/providers/Microsoft.Web/sites/emerald-bookstore","name":"emerald-bookstore","type":"Microsoft.Web/sites","kind":"app,linux","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTESTRG2BDF0168/providers/Microsoft.Compute/disks/PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","name":"PSTestVM2bdf00_OsDisk_1_3504c3d7c4774045a8c8e590994c6206","type":"Microsoft.Compute/disks","sku":{"name":"Standard_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Compute/virtualMachines/PSTestVM2bdf00","name":"PSTestVM2bdf00","type":"Microsoft.Compute/virtualMachines","location":"southeastasia","tags":{"Purpose":"PSTest","Owner":"sarath","DeleteBy":"05-2020","AutoShutDown":"No","MabUsed":"Yes"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkInterfaces/PSTestNIC2bdf00","name":"PSTestNIC2bdf00","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/networkSecurityGroups/PSTestNSG2bdf00","name":"PSTestNSG2bdf00","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/publicIPAddresses/pstestpublicdns2bdf00","name":"pstestpublicdns2bdf00","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PSTestRG2bdf0168/providers/Microsoft.Network/virtualNetworks/PSTestVNET2bdf00","name":"PSTestVNET2bdf00","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/QIANWENS/providers/Microsoft.Compute/disks/qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","name":"qianwen-ubuntu_disk1_f50737a0e81d4a22992792d97d2d5c9f","type":"Microsoft.Compute/disks","sku":{"name":"Premium_LRS","tier":"Premium"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Compute/virtualMachines/qianwen-ubuntu","name":"qianwen-ubuntu","type":"Microsoft.Compute/virtualMachines","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkInterfaces/qianwen-ubuntu473","name":"qianwen-ubuntu473","type":"Microsoft.Network/networkInterfaces","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/networkSecurityGroups/qianwen-ubuntu-nsg","name":"qianwen-ubuntu-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/publicIPAddresses/qianwen-ubuntu-ip","name":"qianwen-ubuntu-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Network/virtualNetworks/qianwens-vnet","name":"qianwens-vnet","type":"Microsoft.Network/virtualNetworks","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/qianwens/providers/Microsoft.Storage/storageAccounts/qianwensdiag","name":"qianwensdiag","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/networkInterfaces/anf-sdk-vnet-nic-VLB5RZ","name":"anf-sdk-vnet-nic-VLB5RZ","type":"Microsoft.Network/networkInterfaces","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sdk-wus2-rg-test/providers/Microsoft.Network/virtualNetworks/sdk-vnet","name":"sdk-vnet","type":"Microsoft.Network/virtualNetworks","location":"westus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro1","name":"storagesfrepro1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro10","name":"storagesfrepro10","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro11","name":"storagesfrepro11","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro12","name":"storagesfrepro12","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro13","name":"storagesfrepro13","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro14","name":"storagesfrepro14","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro15","name":"storagesfrepro15","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro16","name":"storagesfrepro16","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro17","name":"storagesfrepro17","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro18","name":"storagesfrepro18","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro19","name":"storagesfrepro19","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro2","name":"storagesfrepro2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro20","name":"storagesfrepro20","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro21","name":"storagesfrepro21","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro22","name":"storagesfrepro22","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro23","name":"storagesfrepro23","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro24","name":"storagesfrepro24","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro25","name":"storagesfrepro25","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro3","name":"storagesfrepro3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro4","name":"storagesfrepro4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro5","name":"storagesfrepro5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro6","name":"storagesfrepro6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro7","name":"storagesfrepro7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro8","name":"storagesfrepro8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/storage-v2rt-repro/providers/Microsoft.Storage/storageAccounts/storagesfrepro9","name":"storagesfrepro9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"centralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xiaojianxu/providers/Microsoft.RecoveryServices/vaults/vault418","name":"vault418","type":"Microsoft.RecoveryServices/vaults","sku":{"name":"RS0","tier":"Standard"},"location":"eastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Batch/batchAccounts/yeming","name":"yeming","type":"Microsoft.Batch/batchAccounts","location":"southeastasia"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.DataLakeStore/accounts/yemingdatalake","name":"yemingdatalake","type":"Microsoft.DataLakeStore/accounts","location":"eastus2"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.KeyVault/vaults/yeming","name":"yeming","type":"Microsoft.KeyVault/vaults","location":"eastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yeming/providers/Microsoft.Storage/storageAccounts/yeming","name":"yeming","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"southeastasia","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/YU-TEST-RG/providers/Microsoft.Compute/disks/yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","name":"yu-vm-file-sync_OsDisk_1_e7e0057e014a4892b36383bf731f3bdf","type":"Microsoft.Compute/disks","sku":{"name":"StandardSSD_LRS","tier":"Standard"},"managedBy":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Compute/virtualMachines/yu-vm-file-sync","name":"yu-vm-file-sync","type":"Microsoft.Compute/virtualMachines","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkInterfaces/yu-vm-file-sync535","name":"yu-vm-file-sync535","type":"Microsoft.Network/networkInterfaces","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/networkSecurityGroups/yu-vm-file-sync-nsg","name":"yu-vm-file-sync-nsg","type":"Microsoft.Network/networkSecurityGroups","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/publicIPAddresses/yu-vm-file-sync-ip","name":"yu-vm-file-sync-ip","type":"Microsoft.Network/publicIPAddresses","sku":{"name":"Basic"},"location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Network/virtualNetworks/yu-test-rg-vnet","name":"yu-test-rg-vnet","type":"Microsoft.Network/virtualNetworks","location":"eastus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.Storage/storageAccounts/yustorageaccountforsync","name":"yustorageaccountforsync","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/yu-test-rg/providers/Microsoft.StorageSync/storageSyncServices/yu-storage-sync","name":"yu-storage-sync","type":"Microsoft.StorageSync/storageSyncServices","location":"eastus","tags":{"zhoxing_test":"1"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.ApiManagement/service/test-serv","name":"test-serv","type":"Microsoft.ApiManagement/service","sku":{"name":"Developer","capacity":1},"location":"eastus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest","name":"zhoxingtest","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest2","name":"zhoxingtest2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest3","name":"zhoxingtest3","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest4","name":"zhoxingtest4","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest5","name":"zhoxingtest5","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest6","name":"zhoxingtest6","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest7","name":"zhoxingtest7","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest8","name":"zhoxingtest8","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zhoxing-test/providers/Microsoft.Storage/storageAccounts/zhoxingtest9","name":"zhoxingtest9","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"Storage","location":"westus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.DataLakeStore/accounts/zuhdls","name":"zuhdls","type":"Microsoft.DataLakeStore/accounts","location":"eastus2","identity":{"principalId":"327a3561-97d1-4836-8a67-ddd60546701a","tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","type":"SystemAssigned"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors1","name":"zuhors1","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/zuh/providers/Microsoft.Storage/storageAccounts/zuhors2","name":"zuhors2","type":"Microsoft.Storage/storageAccounts","sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","location":"eastus2euap","tags":{}}]}' + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv1","name":"cheggkv1","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.KeyVault/vaults/cheggkv3","name":"cheggkv3","type":"Microsoft.KeyVault/vaults","location":"eastus2","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi","name":"cheggmsi","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet1","name":"cheggvnet1","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet2","name":"cheggvnet2","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg1/providers/Microsoft.Network/virtualNetworks/cheggvnet3","name":"cheggvnet3","type":"Microsoft.Network/virtualNetworks","location":"northcentralus","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.KeyVault/vaults/cheggkv2","name":"cheggkv2","type":"Microsoft.KeyVault/vaults","location":"northcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cheggrg2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cheggmsi2","name":"cheggmsi2","type":"Microsoft.ManagedIdentity/userAssignedIdentities","location":"canadaeast","tags":{}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","name":"NetworkWatcher_eastus","type":"Microsoft.Network/networkWatchers","location":"eastus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_northcentralus","name":"NetworkWatcher_northcentralus","type":"Microsoft.Network/networkWatchers","location":"northcentralus"},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_southcentralus","name":"NetworkWatcher_southcentralus","type":"Microsoft.Network/networkWatchers","location":"southcentralus","tags":{"mockTag":"mockValue"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/networkwatcherrg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2","name":"NetworkWatcher_westus2","type":"Microsoft.Network/networkWatchers","location":"westus2","tags":{"mockTag":"mockValue"}}]}' headers: cache-control: - no-cache content-length: - - '93423' + - '3141' content-type: - application/json; charset=utf-8 date: - - Fri, 07 Feb 2020 16:42:08 GMT + - Thu, 06 Feb 2020 00:10:02 GMT expires: - '-1' pragma: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_show_built_in_policy.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_show_built_in_policy.yaml index 9a3d5536e92..06403651c42 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_show_built_in_policy.yaml +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_show_built_in_policy.yaml @@ -14,7 +14,7 @@ interactions: - --query User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23,41 +23,47 @@ interactions: body: string: '{"value":[{"properties":{"displayName":"Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945","type":"Microsoft.Authorization/policyDefinitions","name":"0004bbf0-5099-4179-869e-e9ffe5fb0945"},{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"},{"properties":{"displayName":"Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a","type":"Microsoft.Authorization/policyDefinitions","name":"00379355-8932-4b52-b63a-3bc6daf3451a"},{"properties":{"displayName":"Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655","type":"Microsoft.Authorization/policyDefinitions","name":"0062eb8b-dc75-4718-8ea5-9bb4a9606655"},{"properties":{"displayName":"Azure + Backup should be enabled for Virtual Machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"},{"properties":{"displayName":"Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147","type":"Microsoft.Authorization/policyDefinitions","name":"01524fa8-4555-48ce-ba5f-c3b8dcef5147"},{"properties":{"displayName":"Microsoft Managed Control 1099 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba","type":"Microsoft.Authorization/policyDefinitions","name":"01910bab-8639-4bd0-84ef-cc53b24d79ba"},{"properties":{"displayName":"Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee","type":"Microsoft.Authorization/policyDefinitions","name":"01f7726b-db54-45c2-bcb5-9bd7a43796ee"},{"properties":{"displayName":"Microsoft Managed Control 1709 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c","type":"Microsoft.Authorization/policyDefinitions","name":"025992d6-7fee-4137-9bbf-2ffc39c0686c"},{"properties":{"displayName":"Microsoft Managed Control 1052 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a","type":"Microsoft.Authorization/policyDefinitions","name":"027cae1c-ec3e-4492-9036-4168d540c42a"},{"properties":{"displayName":"Microsoft Managed Control 1034 - Least Privilege","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329","type":"Microsoft.Authorization/policyDefinitions","name":"02a5ed00-6d2e-4e97-9a98-46c32c057329"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one","policyType":"BuiltIn","mode":"All","description":"This @@ -65,55 +71,55 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"},{"properties":{"displayName":"Microsoft Managed Control 1623 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed","type":"Microsoft.Authorization/policyDefinitions","name":"02ce1b22-412a-4528-8630-c42146f917ed"},{"properties":{"displayName":"Microsoft Managed Control 1515 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211","type":"Microsoft.Authorization/policyDefinitions","name":"02dd141a-a2b2-49a7-bcbd-ca31142f6211"},{"properties":{"displayName":"Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d","type":"Microsoft.Authorization/policyDefinitions","name":"03188d8f-1ae5-4fe1-974d-2d7d32ef937d"},{"properties":{"displayName":"Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d","type":"Microsoft.Authorization/policyDefinitions","name":"03752212-103c-4ab8-a306-7e813022ca9d"},{"properties":{"displayName":"Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d","type":"Microsoft.Authorization/policyDefinitions","name":"03996055-37a4-45a5-8b70-3f1caa45f87d"},{"properties":{"displayName":"Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4","type":"Microsoft.Authorization/policyDefinitions","name":"03ad326e-d7a1-44b1-9a76-e17492efc9e4"},{"properties":{"displayName":"Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768","type":"Microsoft.Authorization/policyDefinitions","name":"03b78f5e-4877-4303-b0f4-eb6583f25768"},{"properties":{"displayName":"Microsoft Managed Control 1361 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67","type":"Microsoft.Authorization/policyDefinitions","name":"03ed3be1-7276-4452-9a5d-e4168565ac67"},{"properties":{"displayName":"Microsoft Managed Control 1594 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9","type":"Microsoft.Authorization/policyDefinitions","name":"042ba2a1-8bb8-45f4-b080-c78cf62b90e9"},{"properties":{"displayName":"SQL managed instance TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -126,11 +132,11 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e","type":"Microsoft.Authorization/policyDefinitions","name":"04d53d87-841c-4f23-8a5b-21564380b55e"},{"properties":{"displayName":"Microsoft Managed Control 1572 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36","type":"Microsoft.Authorization/policyDefinitions","name":"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -142,67 +148,69 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77","type":"Microsoft.Authorization/policyDefinitions","name":"053d3325-282c-4e5c-b944-24faffd30d77"},{"properties":{"displayName":"Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4","type":"Microsoft.Authorization/policyDefinitions","name":"05460fe2-301f-4ed1-8174-d62c8bb92ff4"},{"properties":{"displayName":"Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"},{"properties":{"displayName":"Diagnostic logs in Azure Data Lake Store should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"},{"properties":{"displayName":"Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0","type":"Microsoft.Authorization/policyDefinitions","name":"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0"},{"properties":{"displayName":"Microsoft Managed Control 1223 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a","type":"Microsoft.Authorization/policyDefinitions","name":"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a"},{"properties":{"displayName":"Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0","type":"Microsoft.Authorization/policyDefinitions","name":"05a289ce-6a20-4b75-a0f3-dc8601b6acd0"},{"properties":{"displayName":"Microsoft Managed Control 1420 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404","type":"Microsoft.Authorization/policyDefinitions","name":"05ae08cc-a282-413b-90c7-21a2c60b8404"},{"properties":{"displayName":"Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098","type":"Microsoft.Authorization/policyDefinitions","name":"063b540e-4bdc-4e7a-a569-3a42ddf22098"},{"properties":{"displayName":"Microsoft Managed Control 1688 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f","type":"Microsoft.Authorization/policyDefinitions","name":"063c3f09-e0f0-4587-8fd5-f4276fae675f"},{"properties":{"displayName":"Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a","type":"Microsoft.Authorization/policyDefinitions","name":"068260be-a5e6-4b0a-a430-cd27071c226a"},{"properties":{"displayName":"Microsoft Managed Control 1455 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a","type":"Microsoft.Authorization/policyDefinitions","name":"068a88d4-e520-434e-baf0-9005a8164e6a"},{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit - DB level audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit + DB level audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"},{"properties":{"displayName":"Microsoft Managed Control 1366 - Incident Handling | Information Correlation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc","type":"Microsoft.Authorization/policyDefinitions","name":"06c45c30-ae44-4f0f-82be-41331da911cc"},{"properties":{"displayName":"Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a","type":"Microsoft.Authorization/policyDefinitions","name":"07557aa0-e02f-4460-9a81-8ecd2fed601a"},{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -214,17 +222,17 @@ interactions: ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c","type":"Microsoft.Authorization/policyDefinitions","name":"0868462e-646c-4fe3-9ced-a733534b6a2c"},{"properties":{"displayName":"Microsoft Managed Control 1583 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d","type":"Microsoft.Authorization/policyDefinitions","name":"0882d488-8e80-4466-bc0f-0cd15b6cb66d"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -235,26 +243,28 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Search/searchServices/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Network - Security Group Rules for Internet facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure - Security Center analyzes the traffic patterns of Internet facing virtual machines - and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d","type":"Microsoft.Authorization/policyDefinitions","name":"08ba64b8-738f-4918-9686-730d2ed79c7d"},{"properties":{"displayName":"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security + Center analyzes the traffic patterns of Internet facing virtual machines and + provides Network Security Group rule recommendations that reduce the potential + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"},{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"},{"properties":{"displayName":"Microsoft Managed Control 1159 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795","type":"Microsoft.Authorization/policyDefinitions","name":"0925f098-7877-450b-8ba4-d1e55f2d8795"},{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without an enabled disk encryption will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"},{"properties":{"displayName":"Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da","type":"Microsoft.Authorization/policyDefinitions","name":"09828c65-e323-422b-9774-9d5c646124da"},{"properties":{"displayName":"Configure backup on VMs of a location to an existing central Vault in the same location","policyType":"BuiltIn","mode":"Indexed","description":"This policy configures Azure Backup protection on VMs in a given location to an @@ -262,7 +272,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -281,44 +291,50 @@ interactions: subscription().subscriptionId, ''/resourceGroups/'', resourceGroup().name, ''/providers/Microsoft.Compute/virtualMachines/'',field(''name''))]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913","type":"Microsoft.Authorization/policyDefinitions","name":"09ce66bc-1220-4153-8104-e3f51c936913"},{"properties":{"displayName":"Microsoft Managed Control 1654 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b","type":"Microsoft.Authorization/policyDefinitions","name":"0a2ee16e-ab1f-414a-800b-d1608835862b"},{"properties":{"displayName":"Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9","type":"Microsoft.Authorization/policyDefinitions","name":"0a560d32-8075-4fec-9615-9f7c853f4ea9"},{"properties":{"displayName":"Microsoft Managed Control 1428 - Media Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7","type":"Microsoft.Authorization/policyDefinitions","name":"0a77fcc7-b8d8-451a-ab52-56197913c0c7"},{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"},{"properties":{"displayName":"Microsoft Managed Control 1044 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90","type":"Microsoft.Authorization/policyDefinitions","name":"0abbac52-57cf-450d-8408-1208d0dd9e90"},{"properties":{"displayName":"Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311","type":"Microsoft.Authorization/policyDefinitions","name":"0afce0b3-dd9f-42bb-af28-1e4284ba8311"},{"properties":{"displayName":"Email notification to subscription owner for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"},{"properties":{"displayName":"Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a","type":"Microsoft.Authorization/policyDefinitions","name":"0b1aa965-7502-41f9-92be-3e2fe7cc392a"},{"properties":{"displayName":"Microsoft Managed Control 1020 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce","type":"Microsoft.Authorization/policyDefinitions","name":"0b291ee8-3140-4cad-beb7-568c077c78ce"},{"properties":{"displayName":"Key Vault objects should be recoverable","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits if key vault objects are not recoverable. Soft Delete feature @@ -327,96 +343,98 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},{"properties":{"displayName":"Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d","type":"Microsoft.Authorization/policyDefinitions","name":"0b653845-2ad9-4e09-a4f3-5a7c1d78353d"},{"properties":{"displayName":"Microsoft Managed Control 1239 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879","type":"Microsoft.Authorization/policyDefinitions","name":"0be51298-f643-4556-88af-d7db90794879"},{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"},{"properties":{"displayName":"Microsoft Managed Control 1496 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8","type":"Microsoft.Authorization/policyDefinitions","name":"0ca96127-2f87-46ab-a4fc-0d2a786df1c8"},{"properties":{"displayName":"SQL server TDE protector should be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"},{"properties":{"displayName":"Microsoft Managed Control 1518 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815","type":"Microsoft.Authorization/policyDefinitions","name":"0d58f734-c052-40e9-8b2f-a1c2bff0b815"},{"properties":{"displayName":"Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Information Integrity control","metadata":{"category":"Regulatory + this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0","type":"Microsoft.Authorization/policyDefinitions","name":"0d87c70b-5012-48e9-994b-e70dd4b8def0"},{"properties":{"displayName":"Microsoft Managed Control 1466 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451","type":"Microsoft.Authorization/policyDefinitions","name":"0d943a9c-a6f1-401f-a792-740cdb09c451"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"},{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"},{"properties":{"displayName":"Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17","type":"Microsoft.Authorization/policyDefinitions","name":"0dced7ab-9ce5-4137-93aa-14c13e06ab17"},{"properties":{"displayName":"[Preview]: Authorized IP ranges should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"},{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"},{"properties":{"displayName":"Microsoft Managed Control 1601 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e","type":"Microsoft.Authorization/policyDefinitions","name":"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e"},{"properties":{"displayName":"Microsoft Managed Control 1476 - Fire Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7","type":"Microsoft.Authorization/policyDefinitions","name":"0f3c4ac2-3e35-4906-a80b-473b12a622d7"},{"properties":{"displayName":"Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665","type":"Microsoft.Authorization/policyDefinitions","name":"0f4f6750-d1ab-4a4c-8dfd-af3237682665"},{"properties":{"displayName":"Microsoft Managed Control 1430 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234","type":"Microsoft.Authorization/policyDefinitions","name":"0f559588-5e53-4b14-a7c4-85d28ebc2234"},{"properties":{"displayName":"Microsoft Managed Control 1574 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9","type":"Microsoft.Authorization/policyDefinitions","name":"0f935dab-83d6-47b8-85ef-68b8584161b9"},{"properties":{"displayName":"Microsoft Managed Control 1164 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310","type":"Microsoft.Authorization/policyDefinitions","name":"0fb8d3ce-9e96-481c-9c68-88d4e3019310"},{"properties":{"displayName":"Microsoft Managed Control 1017 - Account Management | Inactivity Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e","type":"Microsoft.Authorization/policyDefinitions","name":"0fc3db37-e59a-48c1-84e9-1780cedb409e"},{"properties":{"displayName":"Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583","type":"Microsoft.Authorization/policyDefinitions","name":"100c82ba-42e9-4d44-a2ba-94b209248583"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -426,11 +444,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -440,55 +458,60 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5","type":"Microsoft.Authorization/policyDefinitions","name":"106ccbe4-a791-4f33-a44a-06796944b8d5"},{"properties":{"displayName":"Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca","type":"Microsoft.Authorization/policyDefinitions","name":"10984b4e-c93e-48d7-bf20-9c03b04e9eca"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Function App","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"},{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"},{"properties":{"displayName":"Microsoft Managed Control 1230 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071","type":"Microsoft.Authorization/policyDefinitions","name":"11158848-f679-4e9b-aa7b-9fb07d945071"},{"properties":{"displayName":"Microsoft Managed Control 1432 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b","type":"Microsoft.Authorization/policyDefinitions","name":"1140e542-b80d-4048-af45-3f7245be274b"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07","type":"Microsoft.Authorization/policyDefinitions","name":"11ac78e3-31bc-4f0c-8434-37ab963cea07"},{"properties":{"displayName":"Microsoft Managed Control 1655 - Voice Over Internet Protocol","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b","type":"Microsoft.Authorization/policyDefinitions","name":"121eab72-390e-4629-a7e2-6d6184f57c6b"},{"properties":{"displayName":"Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a","type":"Microsoft.Authorization/policyDefinitions","name":"12623e7e-4736-4b2e-b776-c1600f35f93a"},{"properties":{"displayName":"Microsoft Managed Control 1240 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429","type":"Microsoft.Authorization/policyDefinitions","name":"129eb39f-d79a-4503-84cd-92f036b5e429"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"},{"properties":{"displayName":"Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e","type":"Microsoft.Authorization/policyDefinitions","name":"12e30ee3-61e6-4509-8302-a871e8ebb91e"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -497,11 +520,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -512,22 +535,23 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6","type":"Microsoft.Authorization/policyDefinitions","name":"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"},{"properties":{"displayName":"Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys.","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462","type":"Microsoft.Authorization/policyDefinitions","name":"131a2706-61e9-4916-a164-00e052056462"},{"properties":{"displayName":"Microsoft Managed Control 1450 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01","type":"Microsoft.Authorization/policyDefinitions","name":"134d7a13-ba3e-41e2-b236-91bfcfa24e01"},{"properties":{"displayName":"Microsoft Managed Control 1184 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20","type":"Microsoft.Authorization/policyDefinitions","name":"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20"},{"properties":{"displayName":"Microsoft Managed Control 1085 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba","type":"Microsoft.Authorization/policyDefinitions","name":"13d117e0-38b0-4bbb-aaab-563be5dd10ba"},{"properties":{"displayName":"Microsoft Managed Control 1404 - Maintenance Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b","type":"Microsoft.Authorization/policyDefinitions","name":"13d8f903-0cd6-449f-a172-50f6579c182b"},{"properties":{"displayName":"Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620","type":"Microsoft.Authorization/policyDefinitions","name":"13fcf812-ec82-4eda-9b89-498de9efd620"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -536,11 +560,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -550,12 +574,13 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba","type":"Microsoft.Authorization/policyDefinitions","name":"144f1397-32f9-4598-8c88-118decc3ccba"},{"properties":{"displayName":"Microsoft Managed Control 1157 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a","type":"Microsoft.Authorization/policyDefinitions","name":"15495367-cf68-464c-bbc3-f53ca5227b7a"},{"properties":{"displayName":"Microsoft Managed Control 1491 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b","type":"Microsoft.Authorization/policyDefinitions","name":"1571dd40-dafc-4ef4-8f55-16eba27efc7b"},{"properties":{"displayName":"Microsoft Managed Control 1564 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801","type":"Microsoft.Authorization/policyDefinitions","name":"157f0ef9-143f-496d-b8f9-f8c8eeaad801"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -564,7 +589,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -573,10 +599,10 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df","type":"Microsoft.Authorization/policyDefinitions","name":"16390df4-2f73-4b42-af13-c801066763df"},{"properties":{"displayName":"Microsoft Managed Control 1662 - Fail In Known State","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15","type":"Microsoft.Authorization/policyDefinitions","name":"165cb91f-7ea8-4ab7-beaf-8636b98c9d15"},{"properties":{"displayName":"Microsoft Managed Control 1684 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf","type":"Microsoft.Authorization/policyDefinitions","name":"16bfdb59-db38-47a5-88a9-2e9371a638cf"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"All","description":"This @@ -584,22 +610,23 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"},{"properties":{"displayName":"Microsoft Managed Control 1103 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d","type":"Microsoft.Authorization/policyDefinitions","name":"16feeb31-6377-437e-bbab-d7f73911896d"},{"properties":{"displayName":"Microsoft Managed Control 1007 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add","type":"Microsoft.Authorization/policyDefinitions","name":"17200329-bf6c-46d8-ac6d-abf4641c2add"},{"properties":{"displayName":"Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34","type":"Microsoft.Authorization/policyDefinitions","name":"17641f70-94cd-4a5d-a613-3d1143e20e34"},{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -610,44 +637,46 @@ interactions: ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', uniqueString(parameters(''targetManagedApplicationId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetManagedApplicationId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetManagedApplicationId":{"value":"[parameters(''targetManagedApplicationId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634","type":"Microsoft.Authorization/policyDefinitions","name":"17763ad9-70c0-4794-9397-53d765932634"},{"properties":{"displayName":"Transparent - Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Data Encryption on SQL databases should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"},{"properties":{"displayName":"Microsoft Managed Control 1325 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19","type":"Microsoft.Authorization/policyDefinitions","name":"1845796a-7581-49b2-ae20-443121538e19"},{"properties":{"displayName":"Microsoft Managed Control 1480 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f","type":"Microsoft.Authorization/policyDefinitions","name":"18a767cc-1947-4338-a240-bc058c81164f"},{"properties":{"displayName":"Microsoft Managed Control 1369 - Incident Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed","type":"Microsoft.Authorization/policyDefinitions","name":"18cc35ed-a429-486d-8d59-cb47e87304ed"},{"properties":{"displayName":"Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66","type":"Microsoft.Authorization/policyDefinitions","name":"19b9439d-865d-4474-b17d-97d2702fdb66"},{"properties":{"displayName":"Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4","type":"Microsoft.Authorization/policyDefinitions","name":"1a437f5b-9ad6-4f28-8861-de404d511ae4"},{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' ''delete,'' - and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"},{"properties":{"displayName":"[Preview]: Access to App Services should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges - that are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability + that are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -655,48 +684,48 @@ interactions: Deploy Dependency Agent for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04","type":"Microsoft.Authorization/policyDefinitions","name":"1c210e94-a481-4beb-95fa-1571b434fb04"},{"properties":{"displayName":"Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31","type":"Microsoft.Authorization/policyDefinitions","name":"1ca29e41-34ec-4e70-aba9-6248aca18c31"},{"properties":{"displayName":"Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b","type":"Microsoft.Authorization/policyDefinitions","name":"1cb067d5-c8b5-4113-a7ee-0a493633924b"},{"properties":{"displayName":"Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222","type":"Microsoft.Authorization/policyDefinitions","name":"1d01ba6c-289f-42fd-a408-494b355b6222"},{"properties":{"displayName":"Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783","type":"Microsoft.Authorization/policyDefinitions","name":"1d50f99d-1356-49c0-934a-45f742ba7783"},{"properties":{"displayName":"Microsoft Managed Control 1538 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874","type":"Microsoft.Authorization/policyDefinitions","name":"1d7658b2-e827-49c3-a2ae-6d2bd0b45874"},{"properties":{"displayName":"Virtual machines should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"},{"properties":{"displayName":"Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee","type":"Microsoft.Authorization/policyDefinitions","name":"1dc784b5-4895-4d27-9d40-a06b032bd1ee"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"},{"properties":{"displayName":"Microsoft Managed Control 1595 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341","type":"Microsoft.Authorization/policyDefinitions","name":"1e0414e7-6ef5-4182-8076-aa82fbb53341"},{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"},{"properties":{"displayName":"An @@ -704,12 +733,12 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -721,51 +750,58 @@ interactions: logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579","type":"Microsoft.Authorization/policyDefinitions","name":"1f6e93e8-6b31-41b1-83f6-36e449a42579"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"},{"properties":{"displayName":"Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929","type":"Microsoft.Authorization/policyDefinitions","name":"2006457a-48b3-4f7b-8d2e-1532287f9929"},{"properties":{"displayName":"Microsoft Managed Control 1650 - Public Key Infrastructure Certificates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"The - NSGs rules for web applications on IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7","type":"Microsoft.Authorization/policyDefinitions","name":"201d3740-bd16-4baf-b4b8-7cda352228b7"},{"properties":{"displayName":"Web + ports should be restricted on Network Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"},{"properties":{"displayName":"Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9","type":"Microsoft.Authorization/policyDefinitions","name":"21839937-d241-4fa5-95c6-b669253d9ab9"},{"properties":{"displayName":"Microsoft Managed Control 1111 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b","type":"Microsoft.Authorization/policyDefinitions","name":"21de687c-f15e-4e51-bf8d-f35c8619965b"},{"properties":{"displayName":"Microsoft Managed Control 1596 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8","type":"Microsoft.Authorization/policyDefinitions","name":"21e25e01-0ae0-41be-919e-04ce92b8e8b8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"All","description":"This policy should @@ -773,18 +809,21 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"},{"properties":{"displayName":"Microsoft Managed Control 1426 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a","type":"Microsoft.Authorization/policyDefinitions","name":"21f639bc-f42b-46b1-8f40-7a2a389c291a"},{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"},{"properties":{"displayName":"Microsoft Managed Control 1399 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3","type":"Microsoft.Authorization/policyDefinitions","name":"2256e638-eb23-480f-9e15-6cf1af0a76b3"},{"properties":{"displayName":"Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a","type":"Microsoft.Authorization/policyDefinitions","name":"22589a07-0007-486a-86ca-95355081ae2a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"All","description":"This @@ -792,20 +831,22 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"},{"properties":{"displayName":"Management ports should be closed on your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"},{"properties":{"displayName":"Microsoft Managed Control 1493 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce","type":"Microsoft.Authorization/policyDefinitions","name":"22b469b3-fccf-42da-aa3b-a28e6fb113ce"},{"properties":{"displayName":"Only secure connections to your Redis Cache should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -814,8 +855,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -824,16 +865,16 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca","type":"Microsoft.Authorization/policyDefinitions","name":"23020aa6-1135-4be2-bae2-149982b06eca"},{"properties":{"displayName":"Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980","type":"Microsoft.Authorization/policyDefinitions","name":"232ab24b-810b-4640-9019-74a7d0d6a980"},{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -846,28 +887,28 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673","type":"Microsoft.Authorization/policyDefinitions","name":"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"},{"properties":{"displayName":"Microsoft Managed Control 1268 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5","type":"Microsoft.Authorization/policyDefinitions","name":"23f6e984-3053-4dfc-ab48-543b764781f5"},{"properties":{"displayName":"Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57","type":"Microsoft.Authorization/policyDefinitions","name":"243ec95e-800c-49d4-ba52-1fdd9f6b8b57"},{"properties":{"displayName":"Microsoft Managed Control 1231 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d","type":"Microsoft.Authorization/policyDefinitions","name":"244e0c05-cc45-4fe7-bf36-42dcf01f457d"},{"properties":{"displayName":"Microsoft Managed Control 1082 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23","type":"Microsoft.Authorization/policyDefinitions","name":"24d480ef-11a0-4b1b-8e70-4e023bf2be23"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -880,37 +921,38 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b","type":"Microsoft.Authorization/policyDefinitions","name":"25763a0a-5783-4f14-969e-79d4933eb74b"},{"properties":{"displayName":"Microsoft Managed Control 1372 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726","type":"Microsoft.Authorization/policyDefinitions","name":"25b96717-c912-4c00-9143-4e487f411726"},{"properties":{"displayName":"Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e","type":"Microsoft.Authorization/policyDefinitions","name":"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e"},{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"},{"properties":{"displayName":"Microsoft Managed Control 1649 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b","type":"Microsoft.Authorization/policyDefinitions","name":"26d292cc-b0b8-4c29-9337-68abc758bf7b"},{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, ''/providers/Microsoft.Batch/batchAccounts/'', field(''name''))]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7","type":"Microsoft.Authorization/policyDefinitions","name":"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"},{"properties":{"displayName":"Microsoft Managed Control 1396 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f","type":"Microsoft.Authorization/policyDefinitions","name":"276af98f-4ff9-4e69-99fb-c9b2452fb85f"},{"properties":{"displayName":"Microsoft Managed Control 1074 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a","type":"Microsoft.Authorization/policyDefinitions","name":"27a69937-af92-4198-9b86-08d355c7e59a"},{"properties":{"displayName":"Microsoft Managed Control 1527 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67","type":"Microsoft.Authorization/policyDefinitions","name":"2823de66-332f-4bfd-94a3-3eb036cd3b67"},{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -921,22 +963,23 @@ interactions: to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."}}},"resources":[{"name":"[concat(parameters(''vmName''),''/IaaSAntimalware'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.Azure.Security","type":"IaaSAntimalware","typeHandlerVersion":"1.3","autoUpgradeMinorVersion":true,"settings":{"AntimalwareEnabled":true,"RealtimeProtectionEnabled":"[parameters(''RealtimeProtectionEnabled'')]","ScheduledScanSettings":{"isEnabled":"[parameters(''ScheduledScanSettingsIsEnabled'')]","day":"[parameters(''ScheduledScanSettingsDay'')]","time":"[parameters(''ScheduledScanSettingsTime'')]","scanType":"[parameters(''ScheduledScanSettingsScanType'')]"},"Exclusions":{"Extensions":"[parameters(''ExclusionsExtensions'')]","Paths":"[parameters(''ExclusionsPaths'')]","Processes":"[parameters(''ExclusionsProcesses'')]"}}}}]},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"RealtimeProtectionEnabled":{"value":"true"},"ScheduledScanSettingsIsEnabled":{"value":"true"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc","type":"Microsoft.Authorization/policyDefinitions","name":"2835b622-407b-4114-9198-6f7064cbe0dc"},{"properties":{"displayName":"Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899","type":"Microsoft.Authorization/policyDefinitions","name":"283a4e29-69d5-4c94-b99e-29acf003c899"},{"properties":{"displayName":"Microsoft Managed Control 1436 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574","type":"Microsoft.Authorization/policyDefinitions","name":"28aab8b4-74fd-4b7c-9080-5a7be525d574"},{"properties":{"displayName":"Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82","type":"Microsoft.Authorization/policyDefinitions","name":"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82"},{"properties":{"displayName":"Microsoft Managed Control 1148 - Security Assessments | Independent Assessors","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902","type":"Microsoft.Authorization/policyDefinitions","name":"28e62650-c7c2-4786-bdfa-17edc1673902"},{"properties":{"displayName":"Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713","type":"Microsoft.Authorization/policyDefinitions","name":"28e633fd-284e-4ea7-88b4-02ca157ed713"},{"properties":{"displayName":"Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2","type":"Microsoft.Authorization/policyDefinitions","name":"292a7c44-37fa-4c68-af7c-9d836955ded2"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"All","description":"This @@ -944,132 +987,149 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"},{"properties":{"displayName":"Append tag and its default value","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498","type":"Microsoft.Authorization/policyDefinitions","name":"2a0e14a6-b0a6-4fab-991a-187a4f81c498"},{"properties":{"displayName":"Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7","type":"Microsoft.Authorization/policyDefinitions","name":"2a39ac75-622b-4c88-9a3f-45b7373f7ef7"},{"properties":{"displayName":"Microsoft Managed Control 1274 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210","type":"Microsoft.Authorization/policyDefinitions","name":"2aee175f-cd16-4825-939a-a85349d96210"},{"properties":{"displayName":"Microsoft Managed Control 1603 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac","type":"Microsoft.Authorization/policyDefinitions","name":"2b909c26-162f-47ce-8e15-0c1f55632eac"},{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"},{"properties":{"displayName":"Microsoft Managed Control 1434 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f","type":"Microsoft.Authorization/policyDefinitions","name":"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f"},{"properties":{"displayName":"Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2","type":"Microsoft.Authorization/policyDefinitions","name":"2c251a55-31eb-4e53-99c6-e9c43c393ac2"},{"properties":{"displayName":"Microsoft Managed Control 1388 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55","type":"Microsoft.Authorization/policyDefinitions","name":"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55"},{"properties":{"displayName":"Microsoft Managed Control 1344 - Authenticator Feedback","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"Unattached + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e","type":"Microsoft.Authorization/policyDefinitions","name":"2c895fe7-2d8e-43a2-838c-3a533a5b355e"},{"properties":{"displayName":"SSH + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"},{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"},{"properties":{"displayName":"Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa","type":"Microsoft.Authorization/policyDefinitions","name":"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa"},{"properties":{"displayName":"Microsoft Managed Control 1546 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1","type":"Microsoft.Authorization/policyDefinitions","name":"2ce1ea7e-4038-4e53-82f4-63e8859333c1"},{"properties":{"displayName":"Microsoft Managed Control 1414 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6","type":"Microsoft.Authorization/policyDefinitions","name":"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6"},{"properties":{"displayName":"Microsoft Managed Control 1679 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88","type":"Microsoft.Authorization/policyDefinitions","name":"2cf42a28-193e-41c5-98df-7688e7ef0a88"},{"properties":{"displayName":"Microsoft Managed Control 1068 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c","type":"Microsoft.Authorization/policyDefinitions","name":"2d045bca-a0fd-452e-9f41-4ec33769717c"},{"properties":{"displayName":"App Service should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"},{"properties":{"displayName":"Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429","type":"Microsoft.Authorization/policyDefinitions","name":"2d44b6fa-1134-4ea6-ad4e-9edb68f65429"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"},{"properties":{"displayName":"Microsoft Managed Control 1077 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79","type":"Microsoft.Authorization/policyDefinitions","name":"2dad3668-797a-412e-a798-07d3849a7a79"},{"properties":{"displayName":"Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d","type":"Microsoft.Authorization/policyDefinitions","name":"2e1b855b-a013-481a-aeeb-2bcb129fd35d"},{"properties":{"displayName":"Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22","type":"Microsoft.Authorization/policyDefinitions","name":"2e3c5583-1729-4d36-8771-59c32f090a22"},{"properties":{"displayName":"Microsoft Managed Control 1000 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406","type":"Microsoft.Authorization/policyDefinitions","name":"2ef3cc79-733e-48ed-ab6f-7bf439e9b406"},{"properties":{"displayName":"Microsoft Managed Control 1519 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098","type":"Microsoft.Authorization/policyDefinitions","name":"2f13915a-324c-4ab8-b45c-2eefeeefb098"},{"properties":{"displayName":"[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"},{"properties":{"displayName":"Microsoft Managed Control 1144 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51","type":"Microsoft.Authorization/policyDefinitions","name":"2fa15ff1-a693-4ee4-b094-324818dc9a51"},{"properties":{"displayName":"Microsoft Managed Control 1090 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1","type":"Microsoft.Authorization/policyDefinitions","name":"2fb740e5-cbc7-4d10-8686-d1bf826652b1"},{"properties":{"displayName":"[Deprecated]: Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1079,25 +1139,25 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"},{"properties":{"displayName":"Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07","type":"Microsoft.Authorization/policyDefinitions","name":"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07"},{"properties":{"displayName":"Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119","type":"Microsoft.Authorization/policyDefinitions","name":"31b752c1-05a9-432a-8fce-c39b56550119"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"},{"properties":{"displayName":"Microsoft Managed Control 1587 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c","type":"Microsoft.Authorization/policyDefinitions","name":"32820956-9c6d-4376-934c-05cd8525be7c"},{"properties":{"displayName":"Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594","type":"Microsoft.Authorization/policyDefinitions","name":"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1106,10 +1166,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -1119,18 +1179,18 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"},{"properties":{"displayName":"Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37","type":"Microsoft.Authorization/policyDefinitions","name":"32d07d59-2716-4972-b37b-214a67ac4a37"},{"properties":{"displayName":"Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a","type":"Microsoft.Authorization/policyDefinitions","name":"34042a97-ec6d-4263-93d2-8c1c46823b2a"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1139,36 +1199,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"},{"properties":{"displayName":"Microsoft Managed Control 1151 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca","type":"Microsoft.Authorization/policyDefinitions","name":"347e3b69-7fb7-47df-a8ef-71a1a7b44bca"},{"properties":{"displayName":"Microsoft Managed Control 1412 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764","type":"Microsoft.Authorization/policyDefinitions","name":"3492d949-0dbb-4589-88b3-7b59601cc764"},{"properties":{"displayName":"Microsoft Managed Control 1475 - Emergency Lighting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501","type":"Microsoft.Authorization/policyDefinitions","name":"34a63848-30cf-4081-937e-ce1a1c885501"},{"properties":{"displayName":"Microsoft Managed Control 1060 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b","type":"Microsoft.Authorization/policyDefinitions","name":"34a987fd-2003-45de-a120-014956581f2b"},{"properties":{"displayName":"Audit unrestricted network access to storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"},{"properties":{"displayName":"Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35","type":"Microsoft.Authorization/policyDefinitions","name":"34cb7e92-fe4c-4826-b51e-8cd203fa5d35"},{"properties":{"displayName":"Diagnostic logs in Logic Apps should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Logic + Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"},{"properties":{"displayName":"Microsoft Managed Control 1210 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8","type":"Microsoft.Authorization/policyDefinitions","name":"3502c968-c490-4570-8167-1476f955e9b8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -1177,7 +1239,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1187,71 +1250,72 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934","type":"Microsoft.Authorization/policyDefinitions","name":"356a906e-05e5-4625-8729-90771e0ee934"},{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"},{"properties":{"displayName":"Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8","type":"Microsoft.Authorization/policyDefinitions","name":"35a4102f-a778-4a2e-98c2-971056288df8"},{"properties":{"displayName":"Gateway subnets should not be configured with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"},{"properties":{"displayName":"Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455","type":"Microsoft.Authorization/policyDefinitions","name":"361a77f6-0f9c-4748-8eec-bc13aaaa2455"},{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"},{"properties":{"displayName":"Microsoft Managed Control 1313 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510","type":"Microsoft.Authorization/policyDefinitions","name":"36220f5b-79a1-4cdb-8c74-2d2449f9a510"},{"properties":{"displayName":"Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0","type":"Microsoft.Authorization/policyDefinitions","name":"3643717a-3897-4bfd-8530-c7c96b26b2a0"},{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when - storing sensitive data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + storing sensitive data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"},{"properties":{"displayName":"Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0","type":"Microsoft.Authorization/policyDefinitions","name":"367ae386-db7f-4167-b672-984ff86277c0"},{"properties":{"displayName":"Microsoft Managed Control 1685 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53","type":"Microsoft.Authorization/policyDefinitions","name":"36b0ef30-366f-4b1b-8652-a3511df11f53"},{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -1261,7 +1325,17 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -1269,107 +1343,123 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"},{"properties":{"displayName":"Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5","type":"Microsoft.Authorization/policyDefinitions","name":"36fbe499-f2f2-41b6-880e-52d7ea1d94a5"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"},{"properties":{"displayName":"Microsoft Managed Control 1624 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684","type":"Microsoft.Authorization/policyDefinitions","name":"37d079e3-d6aa-4263-a069-dd7ac6dd9684"},{"properties":{"displayName":"Storage accounts should be migrated to new Azure Resource Manager resources","policyType":"BuiltIn","mode":"All","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"},{"properties":{"displayName":"Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a","type":"Microsoft.Authorization/policyDefinitions","name":"382016f3-d4ba-4e15-9716-55077ec4dc2a"},{"properties":{"displayName":"Diagnostic logs in IoT Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Internet + of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"},{"properties":{"displayName":"Microsoft Managed Control 1081 - Information Sharing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf","type":"Microsoft.Authorization/policyDefinitions","name":"3867f2a9-23bb-4729-851f-c3ad98580caf"},{"properties":{"displayName":"Microsoft Managed Control 1522 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9","type":"Microsoft.Authorization/policyDefinitions","name":"38b470cc-f939-4a15-80e0-9f0c74f2e2c9"},{"properties":{"displayName":"Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae","type":"Microsoft.Authorization/policyDefinitions","name":"38dfd8a3-5290-4099-88b7-4081f4c4d8ae"},{"properties":{"displayName":"Microsoft Managed Control 1397 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b","type":"Microsoft.Authorization/policyDefinitions","name":"391af4ab-1117-46b9-b2c7-78bbd5cd995b"},{"properties":{"displayName":"Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da","type":"Microsoft.Authorization/policyDefinitions","name":"391ff8b3-afed-405e-9f7d-ef2f8168d5da"},{"properties":{"displayName":"Advanced data security settings for SQL managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"},{"properties":{"displayName":"Microsoft Managed Control 1232 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272","type":"Microsoft.Authorization/policyDefinitions","name":"396ba986-eac1-4d6d-85c4-d3fda6b78272"},{"properties":{"displayName":"Microsoft Managed Control 1246 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753","type":"Microsoft.Authorization/policyDefinitions","name":"398eb61e-8111-40d5-a0c9-003df28f1753"},{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"},{"properties":{"displayName":"Microsoft Managed Control 1680 - Malicious Code Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38","type":"Microsoft.Authorization/policyDefinitions","name":"399cd6ee-0e18-41db-9dea-cde3bd712f38"},{"properties":{"displayName":"Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764","type":"Microsoft.Authorization/policyDefinitions","name":"39c54140-5902-4079-8bb5-ad31936fe764"},{"properties":{"displayName":"Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9","type":"Microsoft.Authorization/policyDefinitions","name":"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9"},{"properties":{"displayName":"Microsoft Managed Control 1648 - Collaborative Computing Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32","type":"Microsoft.Authorization/policyDefinitions","name":"3a9eb14b-495a-4ebb-933c-ce4ef5264e32"},{"properties":{"displayName":"Microsoft Managed Control 1315 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454","type":"Microsoft.Authorization/policyDefinitions","name":"3aa87116-f1a1-4edb-bfbf-14e036f8d454"},{"properties":{"displayName":"[Preview]: Pod Security Policies should be defined on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"},{"properties":{"displayName":"Microsoft Managed Control 1548 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb","type":"Microsoft.Authorization/policyDefinitions","name":"3afe6c78-6124-4d95-b85c-eb8c0c9539cb"},{"properties":{"displayName":"Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee","type":"Microsoft.Authorization/policyDefinitions","name":"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee"},{"properties":{"displayName":"Microsoft Managed Control 1003 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"[Preview]: + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d","type":"Microsoft.Authorization/policyDefinitions","name":"3b68b179-3704-4ff7-b51d-7d65374d165d"},{"properties":{"displayName":"An + activity log alert should exist for specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -1379,7 +1469,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -1392,21 +1482,21 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038","type":"Microsoft.Authorization/policyDefinitions","name":"3c1b3629-c8f8-4bf6-862c-037cb9094038"},{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"},{"properties":{"displayName":"Microsoft Managed Control 1621 - Resource Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538","type":"Microsoft.Authorization/policyDefinitions","name":"3cb9f731-744a-4691-a481-ca77b0411538"},{"properties":{"displayName":"Microsoft Managed Control 1521 - Personnel Termination | Automated Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5","type":"Microsoft.Authorization/policyDefinitions","name":"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5"},{"properties":{"displayName":"Microsoft Managed Control 1127 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66","type":"Microsoft.Authorization/policyDefinitions","name":"3ce328db-aef3-48ed-9f81-2ab7cf839c66"},{"properties":{"displayName":"Deploy Diagnostic Settings for Search Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -1425,354 +1515,387 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"},{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"},{"properties":{"displayName":"Microsoft Managed Control 1385 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58","type":"Microsoft.Authorization/policyDefinitions","name":"3e495e65-8663-49ca-9b38-9f45e800bc58"},{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"},{"properties":{"displayName":"Microsoft Managed Control 1160 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05","type":"Microsoft.Authorization/policyDefinitions","name":"3e797ca6-2aa8-4333-b335-7036f1110c05"},{"properties":{"displayName":"Microsoft Managed Control 1545 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1","type":"Microsoft.Authorization/policyDefinitions","name":"3f4b171a-a56b-4328-8112-32cf7f947ee1"},{"properties":{"displayName":"Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c","type":"Microsoft.Authorization/policyDefinitions","name":"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"},{"properties":{"displayName":"Microsoft Managed Control 1561 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5","type":"Microsoft.Authorization/policyDefinitions","name":"40364c3f-c331-4e29-b1e3-2fbe998ba2f5"},{"properties":{"displayName":"Secure transfer to storage accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such - as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + as man-in-the-middle, eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"},{"properties":{"displayName":"Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4","type":"Microsoft.Authorization/policyDefinitions","name":"4057863c-ca7d-47eb-b1e0-503580cba8a4"},{"properties":{"displayName":"Microsoft Managed Control 1637 - Boundary Protection | Fail Secure","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3","type":"Microsoft.Authorization/policyDefinitions","name":"4075bedc-c62a-4635-bede-a01be89807f3"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"},{"properties":{"displayName":"Microsoft Managed Control 1202 - Access Restrictions For Change","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a","type":"Microsoft.Authorization/policyDefinitions","name":"40a2a83b-74f2-4c02-ae65-f460a5d2792a"},{"properties":{"displayName":"Microsoft Managed Control 1438 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6","type":"Microsoft.Authorization/policyDefinitions","name":"40fcc635-52a2-4dbc-9523-80a1f4aa1de6"},{"properties":{"displayName":"Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5","type":"Microsoft.Authorization/policyDefinitions","name":"4116891d-72f7-46ee-911c-8056cc8dcbd5"},{"properties":{"displayName":"Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d","type":"Microsoft.Authorization/policyDefinitions","name":"411f7e2d-9a0b-4627-a0b9-1700432db47d"},{"properties":{"displayName":"Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac","type":"Microsoft.Authorization/policyDefinitions","name":"41256567-1795-4684-b00b-a1308ce43cac"},{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"},{"properties":{"displayName":"Microsoft Managed Control 1263 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17","type":"Microsoft.Authorization/policyDefinitions","name":"41472613-3b05-49f6-8fe8-525af113ce17"},{"properties":{"displayName":"Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff","type":"Microsoft.Authorization/policyDefinitions","name":"420c1477-aa43-49d0-bd7e-c4abdd9addff"},{"properties":{"displayName":"Microsoft Managed Control 1260 - Contingency Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3","type":"Microsoft.Authorization/policyDefinitions","name":"42254fc4-2738-4128-9613-72aaa4f0d9c3"},{"properties":{"displayName":"Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0","type":"Microsoft.Authorization/policyDefinitions","name":"426c4ac9-ff17-49d0-acd7-a13c157081c0"},{"properties":{"displayName":"Diagnostic logs in Batch accounts should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"},{"properties":{"displayName":"Microsoft Managed Control 1174 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f","type":"Microsoft.Authorization/policyDefinitions","name":"42a9a714-8fbb-43ac-b115-ea12d2bd652f"},{"properties":{"displayName":"Microsoft Managed Control 1137 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c","type":"Microsoft.Authorization/policyDefinitions","name":"4344df62-88ab-4637-b97b-bcaf2ec97e7c"},{"properties":{"displayName":"Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a","type":"Microsoft.Authorization/policyDefinitions","name":"435b2547-6374-4f87-b42d-6e8dbe6ae62a"},{"properties":{"displayName":"Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da","type":"Microsoft.Authorization/policyDefinitions","name":"43684572-e4f1-4642-af35-6b933bc506da"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"},{"properties":{"displayName":"Microsoft Managed Control 1544 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271","type":"Microsoft.Authorization/policyDefinitions","name":"43ced7c9-cd53-456b-b0da-2522649a4271"},{"properties":{"displayName":"Microsoft Managed Control 1398 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4","type":"Microsoft.Authorization/policyDefinitions","name":"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4"},{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"},{"properties":{"displayName":"Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36","type":"Microsoft.Authorization/policyDefinitions","name":"4455c2e8-c65d-4acf-895e-304916f90b36"},{"properties":{"displayName":"Microsoft Managed Control 1720 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221","type":"Microsoft.Authorization/policyDefinitions","name":"44b9a7cd-f36a-491a-a48b-6d04ae7c4221"},{"properties":{"displayName":"Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd","type":"Microsoft.Authorization/policyDefinitions","name":"44bfdadc-8c2e-4c30-9c99-f005986fabcd"},{"properties":{"displayName":"Microsoft Managed Control 1604 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f","type":"Microsoft.Authorization/policyDefinitions","name":"44dbba23-0b61-478e-89c7-b3084667782f"},{"properties":{"displayName":"Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0","type":"Microsoft.Authorization/policyDefinitions","name":"44e543aa-41db-42aa-98eb-8a5eb1db53f0"},{"properties":{"displayName":"Microsoft Managed Control 1310 - Device Identification And Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc","type":"Microsoft.Authorization/policyDefinitions","name":"450d7ede-823d-4931-a99d-57f6a38807dc"},{"properties":{"displayName":"Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554","type":"Microsoft.Authorization/policyDefinitions","name":"45692294-f074-42bd-ac54-16f1a3c07554"},{"properties":{"displayName":"Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645","type":"Microsoft.Authorization/policyDefinitions","name":"45b7b644-5f91-498e-9d89-7402532d3645"},{"properties":{"displayName":"Microsoft Managed Control 1565 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b","type":"Microsoft.Authorization/policyDefinitions","name":"45ce2396-5c76-4654-9737-f8792ab3d26b"},{"properties":{"displayName":"Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22","type":"Microsoft.Authorization/policyDefinitions","name":"463e5220-3f79-4e24-a63f-343e4096cd22"},{"properties":{"displayName":"[Deprecated]: Require SQL Server version 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version - other than 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft + other than 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"},{"properties":{"displayName":"Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Identification and Authentication control","metadata":{"category":"Regulatory + this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6","type":"Microsoft.Authorization/policyDefinitions","name":"464dc8ce-2200-4720-87a5-dc5952924cc6"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"},{"properties":{"displayName":"Require automatic OS image patching on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de","type":"Microsoft.Authorization/policyDefinitions","name":"465f32da-0ace-4603-8d1b-7be5a3a702de"},{"properties":{"displayName":"Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444","type":"Microsoft.Authorization/policyDefinitions","name":"4708723f-e099-4af1-bbf9-b6df7642e444"},{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security - data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"},{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"},{"properties":{"displayName":"Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Incident Response control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft + this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253","type":"Microsoft.Authorization/policyDefinitions","name":"47bc7ea0-7d13-4f7c-a154-b903f7194253"},{"properties":{"displayName":"Microsoft Managed Control 1165 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d","type":"Microsoft.Authorization/policyDefinitions","name":"47e10916-6c9e-446b-b0bd-ff5fd439d79d"},{"properties":{"displayName":"Microsoft Managed Control 1048 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7","type":"Microsoft.Authorization/policyDefinitions","name":"483e7ca9-82b3-45a2-be97-b93163a0deb7"},{"properties":{"displayName":"Microsoft Managed Control 1033 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e","type":"Microsoft.Authorization/policyDefinitions","name":"48540f01-fc11-411a-b160-42807c68896e"},{"properties":{"displayName":"Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503","type":"Microsoft.Authorization/policyDefinitions","name":"4862a63c-6c74-4a9d-a221-89af3c374503"},{"properties":{"displayName":"Microsoft Managed Control 1484 - Water Damage Protection | Automation Support","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456","type":"Microsoft.Authorization/policyDefinitions","name":"486b006a-3653-45e8-b41c-a052d3e05456"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to - access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant + access your app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"},{"properties":{"displayName":"Microsoft Managed Control 1669 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d","type":"Microsoft.Authorization/policyDefinitions","name":"48f2f62b-5743-4415-a143-288adc0e078d"},{"properties":{"displayName":"Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f","type":"Microsoft.Authorization/policyDefinitions","name":"493a95f3-f2e3-47d0-af02-65e6d6decc2f"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed","type":"Microsoft.Authorization/policyDefinitions","name":"496223c3-ad65-4ecd-878a-bae78737e9ed"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"},{"properties":{"displayName":"Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd","type":"Microsoft.Authorization/policyDefinitions","name":"498f6234-3e20-4b6a-a880-cbd646d973bd"},{"properties":{"displayName":"Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f","type":"Microsoft.Authorization/policyDefinitions","name":"49b99653-32cd-405d-a135-e7d60a9aae1f"},{"properties":{"displayName":"Append tag and its default value to resource groups","policyType":"BuiltIn","mode":"All","description":"Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71","type":"Microsoft.Authorization/policyDefinitions","name":"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"},{"properties":{"displayName":"Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d","type":"Microsoft.Authorization/policyDefinitions","name":"49dbe627-2c1e-438c-979e-dd7a39bbf81d"},{"properties":{"displayName":"Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8","type":"Microsoft.Authorization/policyDefinitions","name":"4a1d0394-b9f5-493e-9e83-563fd0ac4df8"},{"properties":{"displayName":"Microsoft Managed Control 1677 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923","type":"Microsoft.Authorization/policyDefinitions","name":"4a248e1e-040f-43e5-bff2-afc3a57a3923"},{"properties":{"displayName":"Microsoft Managed Control 1094 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09","type":"Microsoft.Authorization/policyDefinitions","name":"4b1853e0-8973-446b-b567-09d901d31a09"},{"properties":{"displayName":"Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a","type":"Microsoft.Authorization/policyDefinitions","name":"4c090801-59bc-4454-bb33-e0455133486a"},{"properties":{"displayName":"Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc","type":"Microsoft.Authorization/policyDefinitions","name":"4c615c2a-dc83-4dda-8220-abce7b50c9bc"},{"properties":{"displayName":"Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920","type":"Microsoft.Authorization/policyDefinitions","name":"4c643c9a-1be7-4016-a5e7-e4bada052920"},{"properties":{"displayName":"Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9","type":"Microsoft.Authorization/policyDefinitions","name":"4cca950f-c3b7-492a-8e8f-ea39663c14f9"},{"properties":{"displayName":"Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2","type":"Microsoft.Authorization/policyDefinitions","name":"4ce9073a-77fa-48f0-96b1-87aa8e6091c2"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -1781,9 +1904,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -1796,21 +1919,22 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721","type":"Microsoft.Authorization/policyDefinitions","name":"4d1c04de-2172-403f-901b-90608c35c721"},{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"},{"properties":{"displayName":"Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977","type":"Microsoft.Authorization/policyDefinitions","name":"4d33f9f1-12d0-46ad-9fbd-8f8046694977"},{"properties":{"displayName":"Microsoft Managed Control 1156 - Plan Of Action And Milestones","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378","type":"Microsoft.Authorization/policyDefinitions","name":"4d52e864-9a3b-41ee-8f03-520815fe5378"},{"properties":{"displayName":"Microsoft Managed Control 1312 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274","type":"Microsoft.Authorization/policyDefinitions","name":"4d6a5968-9eef-4c18-8534-376790ab7274"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -1818,7 +1942,7 @@ interactions: Diagnostic Settings for Data Lake Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -1832,84 +1956,87 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08","type":"Microsoft.Authorization/policyDefinitions","name":"4daddf25-4823-43d4-88eb-2419eb6dcc08"},{"properties":{"displayName":"Microsoft Managed Control 1394 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94","type":"Microsoft.Authorization/policyDefinitions","name":"4db56f68-3f50-45ab-88f3-ca46f5379a94"},{"properties":{"displayName":"Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362","type":"Microsoft.Authorization/policyDefinitions","name":"4dfc0855-92c4-4641-b155-a55ddd962362"},{"properties":{"displayName":"Microsoft Managed Control 1001 - Access Control Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7","type":"Microsoft.Authorization/policyDefinitions","name":"4e26f8c3-4bf3-4191-b8fc-d888805101b7"},{"properties":{"displayName":"Microsoft Managed Control 1083 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec","type":"Microsoft.Authorization/policyDefinitions","name":"4e319cb6-2ca3-4a58-ad75-e67f484e50ec"},{"properties":{"displayName":"Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0","type":"Microsoft.Authorization/policyDefinitions","name":"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0"},{"properties":{"displayName":"Microsoft Managed Control 1247 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b","type":"Microsoft.Authorization/policyDefinitions","name":"4e666db5-b2ef-4b06-aac6-09bfce49151b"},{"properties":{"displayName":"Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0","type":"Microsoft.Authorization/policyDefinitions","name":"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0"},{"properties":{"displayName":"Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789","type":"Microsoft.Authorization/policyDefinitions","name":"4e95f70e-181c-4422-9da2-43079710c789"},{"properties":{"displayName":"Microsoft Managed Control 1267 - Alternate Storage Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805","type":"Microsoft.Authorization/policyDefinitions","name":"4e97ba1d-be5d-4953-8da4-0cccf28f4805"},{"properties":{"displayName":"Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240","type":"Microsoft.Authorization/policyDefinitions","name":"4ebd97f7-b105-4f50-8daf-c51465991240"},{"properties":{"displayName":"Microsoft Managed Control 1139 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34","type":"Microsoft.Authorization/policyDefinitions","name":"4ed62522-de00-4dda-9810-5205733d2f34"},{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"},{"properties":{"displayName":"Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475","type":"Microsoft.Authorization/policyDefinitions","name":"4f26049b-2c5a-4841-9ff3-d48a26aae475"},{"properties":{"displayName":"Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da","type":"Microsoft.Authorization/policyDefinitions","name":"4f34f554-da4b-4786-8d66-7915c90893da"},{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"},{"properties":{"displayName":"Add a tag to resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26","type":"Microsoft.Authorization/policyDefinitions","name":"4f9dc7db-30c1-420c-b61a-e1d640128d26"},{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"},{"properties":{"displayName":"Microsoft Managed Control 1485 - Delivery And Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b","type":"Microsoft.Authorization/policyDefinitions","name":"50301354-95d0-4a11-8af5-8039ecf6d38b"},{"properties":{"displayName":"Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a","type":"Microsoft.Authorization/policyDefinitions","name":"506814fa-b930-4b10-894e-a45b98c40e1a"},{"properties":{"displayName":"Microsoft Managed Control 1566 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9","type":"Microsoft.Authorization/policyDefinitions","name":"50ad3724-e2ac-4716-afcc-d8eabd97adb9"},{"properties":{"displayName":"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms - and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -1918,109 +2045,111 @@ interactions: Group","description":"DH Group"}},"PFSGroup":{"type":"Array","metadata":{"displayName":"PFS Group","description":"PFS Group"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/connections"},{"anyOf":[{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption","notIn":"[parameters(''IPsecEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity","notIn":"[parameters(''IPsecIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption","notIn":"[parameters(''IKEEncryption'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity","notIn":"[parameters(''IKEIntegrity'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].dhGroup","notIn":"[parameters(''DHGroup'')]"},{"field":"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup","notIn":"[parameters(''PFSGroup'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b","type":"Microsoft.Authorization/policyDefinitions","name":"50b83b09-03da-41c1-b656-c293c914862b"},{"properties":{"displayName":"Microsoft Managed Control 1248 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0","type":"Microsoft.Authorization/policyDefinitions","name":"50fc602d-d8e0-444b-a039-ad138ee5deb0"},{"properties":{"displayName":"Microsoft Managed Control 1386 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065","type":"Microsoft.Authorization/policyDefinitions","name":"5120193e-91fd-4f9d-bc6d-194f94734065"},{"properties":{"displayName":"Microsoft Managed Control 1352 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a","type":"Microsoft.Authorization/policyDefinitions","name":"518cb545-bfa8-43f8-a108-3b7d5037469a"},{"properties":{"displayName":"Microsoft Managed Control 1642 - Network Disconnect","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928","type":"Microsoft.Authorization/policyDefinitions","name":"53397227-5ee3-4b23-9e5e-c8a767ce6928"},{"properties":{"displayName":"Connection throttling should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"},{"properties":{"displayName":"Microsoft Managed Control 1467 - Visitor Access Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d","type":"Microsoft.Authorization/policyDefinitions","name":"5350cbf9-8bdd-4904-b22a-e88be84ca49d"},{"properties":{"displayName":"Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c","type":"Microsoft.Authorization/policyDefinitions","name":"5352e3e0-e63a-452e-9e5f-9c1d181cff9c"},{"properties":{"displayName":"Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69","type":"Microsoft.Authorization/policyDefinitions","name":"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69"},{"properties":{"displayName":"Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d","type":"Microsoft.Authorization/policyDefinitions","name":"53c76a39-2097-408a-b237-b279f7b4614d"},{"properties":{"displayName":"Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c","type":"Microsoft.Authorization/policyDefinitions","name":"54205576-cec9-463f-ba44-b4b3f5d0a84c"},{"properties":{"displayName":"Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14","type":"Microsoft.Authorization/policyDefinitions","name":"544a208a-9c3f-40bc-b1d1-d7e144495c14"},{"properties":{"displayName":"Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783","type":"Microsoft.Authorization/policyDefinitions","name":"55419419-c597-4cd4-b51e-009fd2266783"},{"properties":{"displayName":"Microsoft Managed Control 1045 - Unsuccessful Logon Attempts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892","type":"Microsoft.Authorization/policyDefinitions","name":"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892"},{"properties":{"displayName":"Microsoft Managed Control 1523 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601","type":"Microsoft.Authorization/policyDefinitions","name":"5577a310-2551-49c8-803b-36e0d5e55601"},{"properties":{"displayName":"Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d","type":"Microsoft.Authorization/policyDefinitions","name":"562afd61-56be-4313-8fe4-b9564aa4ba7d"},{"properties":{"displayName":"Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c","type":"Microsoft.Authorization/policyDefinitions","name":"56d970ee-4efc-49c8-8a4e-5916940d784c"},{"properties":{"displayName":"Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7","type":"Microsoft.Authorization/policyDefinitions","name":"57149289-d52b-4f40-9fe6-5233c1ef80f7"},{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"},{"properties":{"displayName":"Microsoft Managed Control 1162 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592","type":"Microsoft.Authorization/policyDefinitions","name":"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592"},{"properties":{"displayName":"Microsoft Managed Control 1054 - Session Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2","type":"Microsoft.Authorization/policyDefinitions","name":"5807e1b4-ba5e-4718-8689-a0ca05a191b2"},{"properties":{"displayName":"Microsoft Managed Control 1584 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c","type":"Microsoft.Authorization/policyDefinitions","name":"5864522b-ff1d-4979-a9f8-58bee1fb174c"},{"properties":{"displayName":"Microsoft Managed Control 1547 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52","type":"Microsoft.Authorization/policyDefinitions","name":"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52"},{"properties":{"displayName":"Microsoft Managed Control 1573 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2","type":"Microsoft.Authorization/policyDefinitions","name":"58c93053-7b98-4cf0-b99f-1beb985416c2"},{"properties":{"displayName":"[Deprecated]: Ensure Function app is using the latest version of TLS encryption","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"},{"properties":{"displayName":"Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780","type":"Microsoft.Authorization/policyDefinitions","name":"593ce201-54b2-4dd0-b34f-c308005d7780"},{"properties":{"displayName":"Microsoft Managed Control 1463 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495","type":"Microsoft.Authorization/policyDefinitions","name":"59721f87-ae25-4db0-a2a4-77cc5b25d495"},{"properties":{"displayName":"Microsoft Managed Control 1425 - Timely Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b","type":"Microsoft.Authorization/policyDefinitions","name":"5983d99c-f39b-4c32-a3dc-170f19f6941b"},{"properties":{"displayName":"Microsoft Managed Control 1512 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8","type":"Microsoft.Authorization/policyDefinitions","name":"5a8324ad-f599-429b-aaed-f9c6e8c987a8"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"},{"properties":{"displayName":"Microsoft Managed Control 1032 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751","type":"Microsoft.Authorization/policyDefinitions","name":"5aa85661-d618-46b8-a20f-ca40a86f0751"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters","policyType":"BuiltIn","mode":"All","description":"This @@ -2028,32 +2157,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"},{"properties":{"displayName":"Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc","type":"Microsoft.Authorization/policyDefinitions","name":"5afa8cab-1ed7-4e40-884c-64e0ac2059cc"},{"properties":{"displayName":"Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c","type":"Microsoft.Authorization/policyDefinitions","name":"5b070cab-0fb8-4e48-ad29-fc90b4c2797c"},{"properties":{"displayName":"Microsoft Managed Control 1005 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1","type":"Microsoft.Authorization/policyDefinitions","name":"5b626abc-26d4-4e22-9de8-3831818526b1"},{"properties":{"displayName":"Microsoft Managed Control 1105 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459","type":"Microsoft.Authorization/policyDefinitions","name":"5b73f57b-587d-4470-a344-0b0ae805f459"},{"properties":{"displayName":"Show audit results from Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"},{"properties":{"displayName":"Microsoft Managed Control 1433 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65","type":"Microsoft.Authorization/policyDefinitions","name":"5b879b41-2728-41c5-ad24-9ee2c37cbe65"},{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection @@ -2063,17 +2193,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -2085,7 +2215,7 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a","type":"Microsoft.Authorization/policyDefinitions","name":"5bb36dda-8a78-4df9-affd-4f05a8612a8a"},{"properties":{"displayName":"Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7","type":"Microsoft.Authorization/policyDefinitions","name":"5bbda922-0172-4095-89e6-5b4a0bf03af7"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"All","description":"This @@ -2093,73 +2223,74 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138","type":"Microsoft.Authorization/policyDefinitions","name":"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"},{"properties":{"displayName":"Microsoft Managed Control 1671 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698","type":"Microsoft.Authorization/policyDefinitions","name":"5c5bbef7-a316-415b-9b38-29753ce8e698"},{"properties":{"displayName":"Microsoft Managed Control 1067 - Wireless Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190","type":"Microsoft.Authorization/policyDefinitions","name":"5c5e54f6-0127-44d0-8b61-f31dc8dd6190"},{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"},{"properties":{"displayName":"Microsoft Managed Control 1483 - Water Damage Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1","type":"Microsoft.Authorization/policyDefinitions","name":"5cb81060-3c8a-4968-bcdc-395a1801f6c1"},{"properties":{"displayName":"Microsoft Managed Control 1362 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214","type":"Microsoft.Authorization/policyDefinitions","name":"5d169442-d6ef-439b-8dca-46c2c3248214"},{"properties":{"displayName":"Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c","type":"Microsoft.Authorization/policyDefinitions","name":"5dee936c-8037-4df1-ab35-6635733da48c"},{"properties":{"displayName":"Microsoft Managed Control 1665 - Process Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512","type":"Microsoft.Authorization/policyDefinitions","name":"5df3a55c-8456-44d4-941e-175f79332512"},{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"},{"properties":{"displayName":"Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348","type":"Microsoft.Authorization/policyDefinitions","name":"5e2b3730-8c14-4081-8893-19dbb5de7348"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"},{"properties":{"displayName":"Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635","type":"Microsoft.Authorization/policyDefinitions","name":"5e47bc51-35d1-44b8-92af-e2f2d8b67635"},{"properties":{"displayName":"Microsoft Managed Control 1208 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f","type":"Microsoft.Authorization/policyDefinitions","name":"5ea87673-d06b-456f-a324-8abcee5c159f"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"},{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -2172,22 +2303,23 @@ interactions: extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069","type":"Microsoft.Authorization/policyDefinitions","name":"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"},{"properties":{"displayName":"Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18","type":"Microsoft.Authorization/policyDefinitions","name":"5f18c885-ade3-48c5-80b1-8f9216019c18"},{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"},{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008","type":"Microsoft.Authorization/policyDefinitions","name":"5ffd78d9-436d-4b41-a421-5baa819e3008"},{"properties":{"displayName":"Microsoft Managed Control 1663 - Protection Of Information At Rest","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa","type":"Microsoft.Authorization/policyDefinitions","name":"60171210-6dde-40af-a144-bf2670518bfa"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"All","description":"This @@ -2195,11 +2327,11 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"},{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"},{"properties":{"displayName":"Show audit results from Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"All","description":"This policy @@ -2207,12 +2339,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"},{"properties":{"displayName":"Deploy Advanced Data Security on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server - to store scan results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + to store scan results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -2220,11 +2352,12 @@ interactions: variables(''storageName''))).primaryEndpoints.blob, ''vulnerability-assessment'')]","storageAccountAccessKey":"[listKeys(resourceId(''Microsoft.Storage/storageAccounts'', variables(''storageName'')), ''2018-02-01'').keys[0].value]","recurringScans":{"isEnabled":true,"emailSubscriptionAdmins":true,"emails":[]}},"dependsOn":["[concat(''Microsoft.Storage/storageAccounts/'', variables(''storageName''))]","[concat(''Microsoft.Sql/servers/'', parameters(''serverName''), - ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"Configure - time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This + ''/securityAlertPolicies/Default'')]"]}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6","type":"Microsoft.Authorization/policyDefinitions","name":"6134c3db-786f-471e-87bc-8f479dc890f6"},{"properties":{"displayName":"[Preview]: + Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + on Windows virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -2275,7 +2408,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2285,15 +2418,16 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"},{"properties":{"displayName":"Microsoft Managed Control 1110 - Audit Storage Capacity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7","type":"Microsoft.Authorization/policyDefinitions","name":"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7"},{"properties":{"displayName":"Microsoft Managed Control 1415 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83","type":"Microsoft.Authorization/policyDefinitions","name":"61a1dd98-b259-4840-abd5-fbba7ee0da83"},{"properties":{"displayName":"Microsoft Managed Control 1153 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635","type":"Microsoft.Authorization/policyDefinitions","name":"61cf3125-142c-4754-8a16-41ab4d529635"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"All","description":"This @@ -2301,72 +2435,80 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"},{"properties":{"displayName":"Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198","type":"Microsoft.Authorization/policyDefinitions","name":"62b638c5-29d7-404b-8d93-f21e4b1ce198"},{"properties":{"displayName":"Microsoft Managed Control 1660 - Session Authenticity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554","type":"Microsoft.Authorization/policyDefinitions","name":"63096613-ce83-43e5-96f4-e588e8813554"},{"properties":{"displayName":"Microsoft Managed Control 1002 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65","type":"Microsoft.Authorization/policyDefinitions","name":"632024c2-8079-439d-a7f6-90af1d78cc65"},{"properties":{"displayName":"Microsoft Managed Control 1498 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1","type":"Microsoft.Authorization/policyDefinitions","name":"633988b9-cf2f-4323-8394-f0d2af9cd6e1"},{"properties":{"displayName":"Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc","type":"Microsoft.Authorization/policyDefinitions","name":"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc"},{"properties":{"displayName":"Microsoft Managed Control 1185 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c","type":"Microsoft.Authorization/policyDefinitions","name":"6420cd73-b939-43b7-9d99-e8688fea053c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"},{"properties":{"displayName":"Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7","type":"Microsoft.Authorization/policyDefinitions","name":"6519d7f3-e8a2-4ff3-a935-9a9497152ad7"},{"properties":{"displayName":"Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17","type":"Microsoft.Authorization/policyDefinitions","name":"65592b16-4367-42c5-a26e-d371be450e17"},{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"},{"properties":{"displayName":"Microsoft Managed Control 1261 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431","type":"Microsoft.Authorization/policyDefinitions","name":"65aeceb5-a59c-4cb1-8d82-9c474be5d431"},{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"},{"properties":{"displayName":"Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e","type":"Microsoft.Authorization/policyDefinitions","name":"666143df-f5e0-45bd-b554-135f0f93e44e"},{"properties":{"displayName":"Microsoft Managed Control 1319 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42","type":"Microsoft.Authorization/policyDefinitions","name":"66f7ae57-5560-4fc5-85c9-659f204e7a42"},{"properties":{"displayName":"Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069","type":"Microsoft.Authorization/policyDefinitions","name":"67de62b4-a737-4781-8861-3baed3c35069"},{"properties":{"displayName":"Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67","type":"Microsoft.Authorization/policyDefinitions","name":"68434bd1-e14b-4031-9edb-a4adf5f84a67"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2375,10 +2517,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2388,32 +2530,32 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a","type":"Microsoft.Authorization/policyDefinitions","name":"68511db2-bd02-41c4-ae6b-1900a012968a"},{"properties":{"displayName":"Microsoft Managed Control 1597 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016","type":"Microsoft.Authorization/policyDefinitions","name":"68b250ec-2e4f-4eee-898a-117a9fda7016"},{"properties":{"displayName":"Microsoft Managed Control 1588 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9","type":"Microsoft.Authorization/policyDefinitions","name":"68ebae26-e0e0-4ecb-8379-aabf633b51e9"},{"properties":{"displayName":"Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8","type":"Microsoft.Authorization/policyDefinitions","name":"68f837d0-8942-4b1e-9b31-be78b247bda8"},{"properties":{"displayName":"Microsoft Managed Control 1727 - Memory Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3","type":"Microsoft.Authorization/policyDefinitions","name":"697175a7-9715-4e89-b98b-c6f605888fa3"},{"properties":{"displayName":"Microsoft Managed Control 1652 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d","type":"Microsoft.Authorization/policyDefinitions","name":"6998e84a-2d29-4e10-8962-76754d4f772d"},{"properties":{"displayName":"Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c","type":"Microsoft.Authorization/policyDefinitions","name":"69c7bee8-bc19-4129-a51e-65a7b39d3e7c"},{"properties":{"displayName":"Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8","type":"Microsoft.Authorization/policyDefinitions","name":"69d2a238-20ab-4206-a6dc-f302bf88b1b8"},{"properties":{"displayName":"Microsoft Managed Control 1244 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937","type":"Microsoft.Authorization/policyDefinitions","name":"6a13a8f8-c163-4b1b-8554-d63569dab937"},{"properties":{"displayName":"Microsoft Managed Control 1019 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7","type":"Microsoft.Authorization/policyDefinitions","name":"6a3ee9b2-3977-459c-b8ce-2db583abd9f7"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2422,13 +2564,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -2440,31 +2583,31 @@ interactions: Audit IP restrictions configuration for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"},{"properties":{"displayName":"Microsoft Managed Control 1211 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50","type":"Microsoft.Authorization/policyDefinitions","name":"6a8b9dc8-6b00-4701-aa96-bba3277ebf50"},{"properties":{"displayName":"[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ","policyType":"BuiltIn","mode":"Indexed","description":"Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"},{"properties":{"displayName":"Microsoft Managed Control 1653 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b","type":"Microsoft.Authorization/policyDefinitions","name":"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b"},{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"},{"properties":{"displayName":"Deploy Diagnostic Settings for Service Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -2478,70 +2621,71 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403","type":"Microsoft.Authorization/policyDefinitions","name":"6b51af03-9277-49a9-a3f8-1c69c9ff7403"},{"properties":{"displayName":"Microsoft Managed Control 1031 - Separation Of Duties","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00","type":"Microsoft.Authorization/policyDefinitions","name":"6b93a801-fe25-4574-a60d-cb22acffae00"},{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"},{"properties":{"displayName":"Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db","type":"Microsoft.Authorization/policyDefinitions","name":"6c59a207-6aed-41dc-83a2-e1ff66e4a4db"},{"properties":{"displayName":"Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b","type":"Microsoft.Authorization/policyDefinitions","name":"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b"},{"properties":{"displayName":"Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c","type":"Microsoft.Authorization/policyDefinitions","name":"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c"},{"properties":{"displayName":"Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Security Assessment and Authorization control","metadata":{"category":"Regulatory + this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00","type":"Microsoft.Authorization/policyDefinitions","name":"6d4820bc-8b61-4982-9501-2123cb776c00"},{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"},{"properties":{"displayName":"Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c","type":"Microsoft.Authorization/policyDefinitions","name":"6d8d492c-dd7a-46f7-a723-fa66a425b87c"},{"properties":{"displayName":"Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912","type":"Microsoft.Authorization/policyDefinitions","name":"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912"},{"properties":{"displayName":"Microsoft Managed Control 1175 - Configuration Management Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c","type":"Microsoft.Authorization/policyDefinitions","name":"6dab4254-c30d-4bb7-ae99-1d21586c063c"},{"properties":{"displayName":"Microsoft Managed Control 1651 - Mobile Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50","type":"Microsoft.Authorization/policyDefinitions","name":"6db63528-c9ba-491c-8a80-83e1e6977a50"},{"properties":{"displayName":"Email notification for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"},{"properties":{"displayName":"Microsoft Managed Control 1586 - External Information System Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51","type":"Microsoft.Authorization/policyDefinitions","name":"6e3b2fbd-8f37-4766-a64d-3f37703dcb51"},{"properties":{"displayName":"Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502","type":"Microsoft.Authorization/policyDefinitions","name":"6e40d9de-2ad4-4cb5-8945-23143326a502"},{"properties":{"displayName":"Microsoft Managed Control 1530 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993","type":"Microsoft.Authorization/policyDefinitions","name":"6e8f9566-29f1-49cd-b61f-f8628a3cf993"},{"properties":{"displayName":"Microsoft Managed Control 1460 - Access Control For Output Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda","type":"Microsoft.Authorization/policyDefinitions","name":"6f3ce1bb-4f77-4695-8355-70b08d54fdda"},{"properties":{"displayName":"Microsoft Managed Control 1320 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77","type":"Microsoft.Authorization/policyDefinitions","name":"6f54c732-71d4-4f93-a696-4e373eca3a77"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"},{"properties":{"displayName":"Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0","type":"Microsoft.Authorization/policyDefinitions","name":"6fdefbf4-93e7-4513-bc95-c1858b7093e0"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"All","description":"This @@ -2549,13 +2693,13 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -2563,70 +2707,72 @@ interactions: Latest Python version","description":"Latest supported Python version for App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73","type":"Microsoft.Authorization/policyDefinitions","name":"7008174a-fd10-4ef0-817e-fc820a951d73"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -2652,7 +2798,8 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -2673,10 +2820,34 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"},{"properties":{"displayName":"Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b","type":"Microsoft.Authorization/policyDefinitions","name":"704e136a-4fe0-427c-b829-cd69957f5d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"All","description":"This policy @@ -2684,46 +2855,49 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"},{"properties":{"displayName":"Microsoft Managed Control 1509 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f","type":"Microsoft.Authorization/policyDefinitions","name":"70792197-9bfc-4813-905a-bd33993e327f"},{"properties":{"displayName":"Microsoft Managed Control 1541 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434","type":"Microsoft.Authorization/policyDefinitions","name":"70f6af82-7be6-44aa-9b15-8b9231b2e434"},{"properties":{"displayName":"Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725","type":"Microsoft.Authorization/policyDefinitions","name":"71475fb4-49bd-450b-a1a5-f63894c24725"},{"properties":{"displayName":"Microsoft Managed Control 1481 - Temperature And Humidity Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339","type":"Microsoft.Authorization/policyDefinitions","name":"717a1c78-a267-4f56-ac58-ee6c54dc4339"},{"properties":{"displayName":"Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d","type":"Microsoft.Authorization/policyDefinitions","name":"71bb965d-4047-4623-afd4-b8189a58df5d"},{"properties":{"displayName":"Microsoft Managed Control 1395 - System Maintenance Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05","type":"Microsoft.Authorization/policyDefinitions","name":"7207a023-a517-41c5-9df2-09d4c6845a05"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -2735,7 +2909,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -2747,7 +2921,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -2758,40 +2933,40 @@ interactions: a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[parameters(''tagValue'')]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532","type":"Microsoft.Authorization/policyDefinitions","name":"726aca4c-86e9-4b04-b0c5-073027359532"},{"properties":{"displayName":"Microsoft Managed Control 1524 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268","type":"Microsoft.Authorization/policyDefinitions","name":"72f1cb4e-2439-4fe8-88ea-b8671ce3c268"},{"properties":{"displayName":"Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0","type":"Microsoft.Authorization/policyDefinitions","name":"731856d8-1598-4b75-92de-7d46235747c0"},{"properties":{"displayName":"Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65","type":"Microsoft.Authorization/policyDefinitions","name":"7327b708-f0e0-457d-9d2a-527fcc9c9a65"},{"properties":{"displayName":"Microsoft Managed Control 1456 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870","type":"Microsoft.Authorization/policyDefinitions","name":"733ba9e3-9e7c-440a-a7aa-6196a90a2870"},{"properties":{"displayName":"Microsoft Managed Control 1581 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e","type":"Microsoft.Authorization/policyDefinitions","name":"742b549b-7a25-465f-b83c-ea1ffb4f4e0e"},{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"},{"properties":{"displayName":"Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c","type":"Microsoft.Authorization/policyDefinitions","name":"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c"},{"properties":{"displayName":"Ensure that ''Python version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -2800,91 +2975,93 @@ interactions: App Services"},"defaultValue":"3.8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PYTHON"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PYTHON|'', parameters(''LinuxPythonLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.pythonVersion","equals":"[parameters(''WindowsPythonLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16","type":"Microsoft.Authorization/policyDefinitions","name":"74c3584d-afae-46f7-a20a-6f8adba71a16"},{"properties":{"displayName":"Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e","type":"Microsoft.Authorization/policyDefinitions","name":"7522ed84-70d5-4181-afc0-21e50b1b6d0e"},{"properties":{"displayName":"[Deprecated]: Audit enabling of diagnostic logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"},{"properties":{"displayName":"Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd","type":"Microsoft.Authorization/policyDefinitions","name":"75603f96-80a1-4757-991d-5a1221765ddd"},{"properties":{"displayName":"Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3","type":"Microsoft.Authorization/policyDefinitions","name":"7582b19c-9dba-438e-aed8-ede59ac35ba3"},{"properties":{"displayName":"Microsoft Managed Control 1459 - Access Control For Transmission Medium","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0","type":"Microsoft.Authorization/policyDefinitions","name":"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0"},{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"},{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled extension for: '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0","type":"Microsoft.Authorization/policyDefinitions","name":"765266ab-e40e-4c61-bcb2-5a5275d0b7c0"},{"properties":{"displayName":"Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969","type":"Microsoft.Authorization/policyDefinitions","name":"769efd9b-3587-4e22-90ce-65ddcd5bd969"},{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit - delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + delegation of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"},{"properties":{"displayName":"Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254","type":"Microsoft.Authorization/policyDefinitions","name":"76e85d08-8fbb-4112-a1c1-93521e6a9254"},{"properties":{"displayName":"Microsoft Managed Control 1508 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086","type":"Microsoft.Authorization/policyDefinitions","name":"76f500cc-4bca-4583-bda1-6d084dc21086"},{"properties":{"displayName":"Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20","type":"Microsoft.Authorization/policyDefinitions","name":"7741669e-d4f6-485a-83cb-e70ce7cbbc20"},{"properties":{"displayName":"Azure subscriptions should have a log profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"},{"properties":{"displayName":"Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26","type":"Microsoft.Authorization/policyDefinitions","name":"77f56280-e367-432a-a3b9-8ca2aa636a26"},{"properties":{"displayName":"Microsoft Managed Control 1258 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff","type":"Microsoft.Authorization/policyDefinitions","name":"7814506c-382c-4d33-a142-249dd4a0dbff"},{"properties":{"displayName":"Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893","type":"Microsoft.Authorization/policyDefinitions","name":"7818b8f4-47c6-441a-90ae-12ce04e99893"},{"properties":{"displayName":"Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c","type":"Microsoft.Authorization/policyDefinitions","name":"78255758-6d45-4bf0-a005-7016bc03b13c"},{"properties":{"displayName":"Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5","type":"Microsoft.Authorization/policyDefinitions","name":"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5"},{"properties":{"displayName":"Microsoft Managed Control 1010 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62","type":"Microsoft.Authorization/policyDefinitions","name":"784663a8-1eb0-418a-a98c-24d19bc1bb62"},{"properties":{"displayName":"Microsoft Managed Control 1216 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484","type":"Microsoft.Authorization/policyDefinitions","name":"7894fe6a-f5cb-44c8-ba90-c3f254ff9484"},{"properties":{"displayName":"Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f","type":"Microsoft.Authorization/policyDefinitions","name":"78e8e649-50f6-4fe3-99ac-fedc2e63b03f"},{"properties":{"displayName":"Microsoft Managed Control 1647 - Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c","type":"Microsoft.Authorization/policyDefinitions","name":"791cfc15-6974-42a0-9f4c-2d4b82f4a78c"},{"properties":{"displayName":"Microsoft Managed Control 1510 - Position Risk Designation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998","type":"Microsoft.Authorization/policyDefinitions","name":"79da5b09-0e7e-499e-adda-141b069c7998"},{"properties":{"displayName":"Microsoft Managed Control 1384 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7","type":"Microsoft.Authorization/policyDefinitions","name":"79fbc228-461c-4a45-9004-a865ca0728a7"},{"properties":{"displayName":"Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2893,13 +3070,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS Port Number","description":"An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS Baud Rate","description":"An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -2910,73 +3088,74 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"},{"properties":{"displayName":"Microsoft Managed Control 1093 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf","type":"Microsoft.Authorization/policyDefinitions","name":"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf"},{"properties":{"displayName":"Microsoft Managed Control 1708 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48","type":"Microsoft.Authorization/policyDefinitions","name":"7a1e2c88-13de-4959-8ee7-47e3d74f1f48"},{"properties":{"displayName":"Microsoft Managed Control 1289 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf","type":"Microsoft.Authorization/policyDefinitions","name":"7a724864-956a-496c-b778-637cb1d762cf"},{"properties":{"displayName":"Microsoft Managed Control 1687 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97","type":"Microsoft.Authorization/policyDefinitions","name":"7a87fc7f-301e-49f3-ba2a-4d74f424fa97"},{"properties":{"displayName":"Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914","type":"Microsoft.Authorization/policyDefinitions","name":"7ac22808-a2e8-41c4-9d46-429b50738914"},{"properties":{"displayName":"Microsoft Managed Control 1492 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737","type":"Microsoft.Authorization/policyDefinitions","name":"7ad5f307-e045-46f7-8214-5bdb7e973737"},{"properties":{"displayName":"Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043","type":"Microsoft.Authorization/policyDefinitions","name":"7b694eed-7081-43c6-867c-41c76c961043"},{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"},{"properties":{"displayName":"[Deprecated]: Require blob encryption for storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"},{"properties":{"displayName":"Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e","type":"Microsoft.Authorization/policyDefinitions","name":"7c6de11b-5f51-4f7c-8d83-d2467c8a816e"},{"properties":{"displayName":"Microsoft Managed Control 1051 - Session Lock","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339","type":"Microsoft.Authorization/policyDefinitions","name":"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339"},{"properties":{"displayName":"Microsoft Managed Control 1279 - Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0","type":"Microsoft.Authorization/policyDefinitions","name":"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0"},{"properties":{"displayName":"Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec","type":"Microsoft.Authorization/policyDefinitions","name":"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec"},{"properties":{"displayName":"Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1","type":"Microsoft.Authorization/policyDefinitions","name":"7daef997-fdd3-461b-8807-a608a6dd70f1"},{"properties":{"displayName":"Microsoft Managed Control 1471 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916","type":"Microsoft.Authorization/policyDefinitions","name":"7dd0e9ce-1772-41fb-a50a-99977071f916"},{"properties":{"displayName":"Show audit results from Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"},{"properties":{"displayName":"Microsoft Managed Control 1011 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5","type":"Microsoft.Authorization/policyDefinitions","name":"7e6a54f3-883f-43d5-87c4-172dfd64a1f5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"},{"properties":{"displayName":"Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8","type":"Microsoft.Authorization/policyDefinitions","name":"7ecda928-9df4-4dd7-8f44-641a91e470e8"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -2985,8 +3164,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -2996,13 +3175,13 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8","type":"Microsoft.Authorization/policyDefinitions","name":"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"},{"properties":{"displayName":"Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7","type":"Microsoft.Authorization/policyDefinitions","name":"7f26a61b-a74d-467c-99cf-63644db144f7"},{"properties":{"displayName":"Microsoft Managed Control 1520 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a","type":"Microsoft.Authorization/policyDefinitions","name":"7f2c513b-eb16-463b-b469-c10e5fa94f0a"},{"properties":{"displayName":"Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf","type":"Microsoft.Authorization/policyDefinitions","name":"7f37f71b-420f-49bf-9477-9c0196974ecf"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"All","description":"This @@ -3010,94 +3189,96 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"},{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"},{"properties":{"displayName":"Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902","type":"Microsoft.Authorization/policyDefinitions","name":"7fbfe680-6dbb-4037-963c-a621c5635902"},{"properties":{"displayName":"SQL Auditing settings should have Action-Groups configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"},{"properties":{"displayName":"Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205","type":"Microsoft.Authorization/policyDefinitions","name":"804faf7d-b687-40f7-9f74-79e28adf4205"},{"properties":{"displayName":"Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8","type":"Microsoft.Authorization/policyDefinitions","name":"80ca0a27-918a-4604-af9e-723a27ee51e8"},{"properties":{"displayName":"Microsoft Managed Control 1505 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490","type":"Microsoft.Authorization/policyDefinitions","name":"813a10a7-3943-4fe3-8678-00dc52db5490"},{"properties":{"displayName":"Microsoft Managed Control 1614 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6","type":"Microsoft.Authorization/policyDefinitions","name":"8154e3b3-cc52-40be-9407-7756581d71f6"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This + Deploy prerequisites to audit Windows VMs configurations in ''User Rights + Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -3117,7 +3298,27 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -3135,138 +3336,150 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"},{"properties":{"displayName":"Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229","type":"Microsoft.Authorization/policyDefinitions","name":"81817e1c-5347-48dd-965a-40159d008229"},{"properties":{"displayName":"Microsoft Managed Control 1287 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d","type":"Microsoft.Authorization/policyDefinitions","name":"819dc6da-289d-476e-8500-7e341ef8677d"},{"properties":{"displayName":"Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318","type":"Microsoft.Authorization/policyDefinitions","name":"81f11e32-a293-4a58-82cd-134af52e2318"},{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"},{"properties":{"displayName":"Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06","type":"Microsoft.Authorization/policyDefinitions","name":"82409f9e-1f32-4775-bf07-b99d53a91b06"},{"properties":{"displayName":"Microsoft Managed Control 1448 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f","type":"Microsoft.Authorization/policyDefinitions","name":"825d6494-e583-42f2-a3f2-6458e6f0004f"},{"properties":{"displayName":"Microsoft Managed Control 1452 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74","type":"Microsoft.Authorization/policyDefinitions","name":"82c76455-4d3f-4e09-a654-22e592107e74"},{"properties":{"displayName":"Microsoft Managed Control 1262 - Contingency Plan Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265","type":"Microsoft.Authorization/policyDefinitions","name":"831e510e-db41-4c72-888e-a0621ab62265"},{"properties":{"displayName":"Microsoft Managed Control 1008 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07","type":"Microsoft.Authorization/policyDefinitions","name":"8356cfc6-507a-4d20-b818-08038011cd07"},{"properties":{"displayName":"Diagnostic logs in Event Hub should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"},{"properties":{"displayName":"Network interfaces should not have public IPs","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. - This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft + This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"},{"properties":{"displayName":"Microsoft Managed Control 1382 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3","type":"Microsoft.Authorization/policyDefinitions","name":"841392b3-40da-4473-b328-4cde49db67b3"},{"properties":{"displayName":"Microsoft Managed Control 1098 - Security Training Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822","type":"Microsoft.Authorization/policyDefinitions","name":"84363adb-dde3-411a-9fc1-36b56737f822"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"},{"properties":{"displayName":"Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44","type":"Microsoft.Authorization/policyDefinitions","name":"845f6359-b764-4b40-b579-657aefe23c44"},{"properties":{"displayName":"Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10","type":"Microsoft.Authorization/policyDefinitions","name":"84914fb4-12da-4c53-a341-a9fd463bed10"},{"properties":{"displayName":"Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682","type":"Microsoft.Authorization/policyDefinitions","name":"84e622c8-4bed-417c-84c6-b2fb0dd73682"},{"properties":{"displayName":"Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5","type":"Microsoft.Authorization/policyDefinitions","name":"852981b4-a380-4704-aa1e-2e52d63445e5"},{"properties":{"displayName":"Microsoft Managed Control 1580 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9","type":"Microsoft.Authorization/policyDefinitions","name":"854db8ac-6adf-42a0-bef3-b73f764f40b9"},{"properties":{"displayName":"Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6","type":"Microsoft.Authorization/policyDefinitions","name":"855ced56-417b-4d74-9d5f-dd1bc81e22d6"},{"properties":{"displayName":"Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f","type":"Microsoft.Authorization/policyDefinitions","name":"85c32733-7d23-4948-88da-058e2c56b60f"},{"properties":{"displayName":"Microsoft Managed Control 1326 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d","type":"Microsoft.Authorization/policyDefinitions","name":"8605fc00-1bf5-4fb3-984e-c95cec4f231d"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"},{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"},{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"},{"properties":{"displayName":"Microsoft Managed Control 1507 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e","type":"Microsoft.Authorization/policyDefinitions","name":"86ccd1bf-e7ad-4851-93ce-6ec817469c1e"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on API app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"},{"properties":{"displayName":"Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc","type":"Microsoft.Authorization/policyDefinitions","name":"86dc819f-15e1-43f9-a271-41ae58d4cecc"},{"properties":{"displayName":"Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8","type":"Microsoft.Authorization/policyDefinitions","name":"86ec7f9b-9478-40ff-8cfd-6a0d510081a8"},{"properties":{"displayName":"Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e","type":"Microsoft.Authorization/policyDefinitions","name":"8713a0ed-0d1e-4d10-be82-83dffb39830e"},{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"},{"properties":{"displayName":"Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc","type":"Microsoft.Authorization/policyDefinitions","name":"874e7880-a067-42a7-bcbe-1a340f54c8cc"},{"properties":{"displayName":"Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e","type":"Microsoft.Authorization/policyDefinitions","name":"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"All","description":"This @@ -3274,18 +3487,18 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"},{"properties":{"displayName":"Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142","type":"Microsoft.Authorization/policyDefinitions","name":"87f7cd82-2e45-4d0f-9e2f-586b0962d142"},{"properties":{"displayName":"Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953","type":"Microsoft.Authorization/policyDefinitions","name":"881299bf-2a5b-4686-a1b2-321d33679953"},{"properties":{"displayName":"Microsoft Managed Control 1356 - Incident Response Training | Simulated Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3","type":"Microsoft.Authorization/policyDefinitions","name":"8829f8f5-e8be-441e-85c9-85b72a5d0ef3"},{"properties":{"displayName":"Deploy prerequisites to audit Linux VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Linux virtual machines @@ -3293,9 +3506,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3308,15 +3521,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0","type":"Microsoft.Authorization/policyDefinitions","name":"884b209a-963b-4520-8006-d20cb3c213e0"},{"properties":{"displayName":"Microsoft Managed Control 1317 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775","type":"Microsoft.Authorization/policyDefinitions","name":"8877f519-c166-47b7-81b7-8a8eb4ff3775"},{"properties":{"displayName":"Microsoft Managed Control 1501 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51","type":"Microsoft.Authorization/policyDefinitions","name":"88817b58-8472-4f6c-81fa-58ce42b67f51"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -3324,18 +3539,19 @@ interactions: interfaces should disable IP forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for - a network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft + a network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"},{"properties":{"displayName":"Microsoft Managed Control 1215 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff","type":"Microsoft.Authorization/policyDefinitions","name":"88fc93e8-4745-4785-b5a5-b44bb92c44ff"},{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL servers - configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"},{"properties":{"displayName":"Microsoft Managed Control 1411 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d","type":"Microsoft.Authorization/policyDefinitions","name":"898d4fe8-f743-4333-86b7-0c9245d93e7d"},{"properties":{"displayName":"Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305","type":"Microsoft.Authorization/policyDefinitions","name":"8a29d47b-8604-4667-84ef-90d203fcb305"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"All","description":"This @@ -3343,110 +3559,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"},{"properties":{"displayName":"Show audit results from Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"},{"properties":{"displayName":"Microsoft Managed Control 1534 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9","type":"Microsoft.Authorization/policyDefinitions","name":"8b2b263e-cd05-4488-bcbf-4debec7a17d9"},{"properties":{"displayName":"Microsoft Managed Control 1170 - Penetration Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12","type":"Microsoft.Authorization/policyDefinitions","name":"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Web app","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"},{"properties":{"displayName":"Microsoft Managed Control 1458 - Physical Access Control | Information System Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203","type":"Microsoft.Authorization/policyDefinitions","name":"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203"},{"properties":{"displayName":"Microsoft Managed Control 1683 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8","type":"Microsoft.Authorization/policyDefinitions","name":"8c79fee4-88dd-44ce-bbd4-4de88948c4f8"},{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"},{"properties":{"displayName":"Microsoft Managed Control 1316 - Identifier Management | Identify User Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d","type":"Microsoft.Authorization/policyDefinitions","name":"8ce14753-66e5-465d-9841-26ef55c09c0d"},{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - a required tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"},{"properties":{"displayName":"Microsoft Managed Control 1324 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee","type":"Microsoft.Authorization/policyDefinitions","name":"8cfea2b3-7f77-497e-ac20-0752f2ff6eee"},{"properties":{"displayName":"Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b","type":"Microsoft.Authorization/policyDefinitions","name":"8d096fe0-f510-4486-8b4d-d17dc230980b"},{"properties":{"displayName":"Microsoft Managed Control 1288 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f","type":"Microsoft.Authorization/policyDefinitions","name":"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f"},{"properties":{"displayName":"Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2","type":"Microsoft.Authorization/policyDefinitions","name":"8dc459b3-0e77-45af-8d71-cfd8c9654fe2"},{"properties":{"displayName":"Microsoft Managed Control 1250 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c","type":"Microsoft.Authorization/policyDefinitions","name":"8de614d8-a8b7-4f70-a62a-6d37089a002c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"},{"properties":{"displayName":"Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59","type":"Microsoft.Authorization/policyDefinitions","name":"8e5ef485-9e16-4c53-a475-fbb8107eac59"},{"properties":{"displayName":"Microsoft Managed Control 1517 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9","type":"Microsoft.Authorization/policyDefinitions","name":"8f5ad423-50d6-4617-b058-69908f5586c9"},{"properties":{"displayName":"Microsoft Managed Control 1668 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61","type":"Microsoft.Authorization/policyDefinitions","name":"8fb0966e-be1d-42c3-baca-60df5c0bcc61"},{"properties":{"displayName":"Microsoft Managed Control 1013 - Account Management | Automated System Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61","type":"Microsoft.Authorization/policyDefinitions","name":"8fd7b917-d83b-4379-af60-51e14e316c61"},{"properties":{"displayName":"Microsoft Managed Control 1147 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541","type":"Microsoft.Authorization/policyDefinitions","name":"8fef824a-29a8-4a4c-88fc-420a39c0d541"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -3455,7 +3680,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -3464,89 +3690,92 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78","type":"Microsoft.Authorization/policyDefinitions","name":"8ff0b18b-262e-4512-857a-48ad0aeb9a78"},{"properties":{"displayName":"Microsoft Managed Control 1550 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9","type":"Microsoft.Authorization/policyDefinitions","name":"902908fb-25a8-4225-a3a5-5603c80066c9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Windows Firewall + Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -3578,7 +3807,8 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -3597,10 +3827,32 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"},{"properties":{"displayName":"Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe","type":"Microsoft.Authorization/policyDefinitions","name":"90b60a09-133d-45bc-86ef-b206a6134bbe"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -3609,13 +3861,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -3626,36 +3878,36 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf","type":"Microsoft.Authorization/policyDefinitions","name":"90ba2ee7-4ca8-4673-84d1-c851c50d3baf"},{"properties":{"displayName":"Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316","type":"Microsoft.Authorization/policyDefinitions","name":"90d8b8ad-8ee3-4db7-913f-2a53fcff5316"},{"properties":{"displayName":"Microsoft Managed Control 1355 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0","type":"Microsoft.Authorization/policyDefinitions","name":"90e01f69-3074-4de8-ade7-0fef3e7d83e0"},{"properties":{"displayName":"Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source)","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b","type":"Microsoft.Authorization/policyDefinitions","name":"90f01329-a100-43c2-af31-098996135d2b"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"},{"properties":{"displayName":"Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb","type":"Microsoft.Authorization/policyDefinitions","name":"91c97b44-791e-46e9-bad7-ab7c4949edbb"},{"properties":{"displayName":"Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01","type":"Microsoft.Authorization/policyDefinitions","name":"924e1b2d-c502-478f-bfdb-a7e09a0d5c01"},{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"},{"properties":{"displayName":"Microsoft Managed Control 1290 - Information System Backup","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82","type":"Microsoft.Authorization/policyDefinitions","name":"92f85ce9-17b7-49ea-85ee-ea7271ea6b82"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"All","description":"This @@ -3663,8 +3915,8 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -3672,11 +3924,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -3687,49 +3939,55 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98","type":"Microsoft.Authorization/policyDefinitions","name":"93507a81-10a4-4af0-9ee2-34cf25a96e98"},{"properties":{"displayName":"Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41","type":"Microsoft.Authorization/policyDefinitions","name":"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41"},{"properties":{"displayName":"Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002","type":"Microsoft.Authorization/policyDefinitions","name":"93e9e233-dd0a-4bde-aea5-1371bce0e002"},{"properties":{"displayName":"Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439","type":"Microsoft.Authorization/policyDefinitions","name":"93fd8af1-c161-4bae-9ba9-f62731f76439"},{"properties":{"displayName":"Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b","type":"Microsoft.Authorization/policyDefinitions","name":"942b3e97-6ae3-410e-a794-c9c999b97c0b"},{"properties":{"displayName":"Microsoft Managed Control 1379 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca","type":"Microsoft.Authorization/policyDefinitions","name":"9442dd2c-a07f-46cd-b55a-553b66ba47ca"},{"properties":{"displayName":"Microsoft Managed Control 1371 - Incident Reporting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417","type":"Microsoft.Authorization/policyDefinitions","name":"9447f354-2c85-4700-93b3-ecdc6cb6a417"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"},{"properties":{"displayName":"Microsoft Managed Control 1526 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Microsoft + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9","type":"Microsoft.Authorization/policyDefinitions","name":"953e6261-a05a-44fd-8246-000e1a3edbb9"},{"properties":{"displayName":"Authentication + should be enabled on your web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"},{"properties":{"displayName":"Microsoft Managed Control 1163 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c","type":"Microsoft.Authorization/policyDefinitions","name":"961663a1-8a91-4e59-b6f5-1eee57c0f49c"},{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"},{"properties":{"displayName":"Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef","type":"Microsoft.Authorization/policyDefinitions","name":"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef"},{"properties":{"displayName":"Advanced data security settings for SQL server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"},{"properties":{"displayName":"Microsoft Managed Control 1453 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011","type":"Microsoft.Authorization/policyDefinitions","name":"9693b564-3008-42bc-9d5d-9c7fe198c011"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"All","description":"This @@ -3737,103 +3995,119 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"},{"properties":{"displayName":"Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb","type":"Microsoft.Authorization/policyDefinitions","name":"976a74cf-b192-4d35-8cab-2068f272addb"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"},{"properties":{"displayName":"Microsoft Managed Control 1136 - Audit Record Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c","type":"Microsoft.Authorization/policyDefinitions","name":"97ed5bac-a92f-4f6d-a8ed-dc094723597c"},{"properties":{"displayName":"Microsoft Managed Control 1378 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d","type":"Microsoft.Authorization/policyDefinitions","name":"97fceb70-6983-42d0-9331-18ad8253184d"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"},{"properties":{"displayName":"Microsoft Managed Control 1076 - Use Of External Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4","type":"Microsoft.Authorization/policyDefinitions","name":"98a4bd5f-6436-46d4-ad00-930b5b1dfed4"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"},{"properties":{"displayName":"Microsoft Managed Control 1102 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57","type":"Microsoft.Authorization/policyDefinitions","name":"9943c16a-c54c-4b4a-ad28-bfd938cdbf57"},{"properties":{"displayName":"Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users)","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a","type":"Microsoft.Authorization/policyDefinitions","name":"99deec7d-5526-472e-b07c-3645a792026a"},{"properties":{"displayName":"Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71","type":"Microsoft.Authorization/policyDefinitions","name":"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71"},{"properties":{"displayName":"FTPS only should be required in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"},{"properties":{"displayName":"Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551","type":"Microsoft.Authorization/policyDefinitions","name":"9a3eb0a3-428d-4669-baff-20a14eb4b551"},{"properties":{"displayName":"Deploy Diagnostic Settings for Azure SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub @@ -3847,109 +4121,113 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"},{"properties":{"displayName":"Microsoft Managed Control 1049 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c","type":"Microsoft.Authorization/policyDefinitions","name":"9adf7ba7-900a-4f35-8d57-9f34aafc405c"},{"properties":{"displayName":"Microsoft Managed Control 1563 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd","type":"Microsoft.Authorization/policyDefinitions","name":"9afe2edf-232c-4fdf-8e6a-e867a5c525fd"},{"properties":{"displayName":"Microsoft Managed Control 1462 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02","type":"Microsoft.Authorization/policyDefinitions","name":"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02"},{"properties":{"displayName":"Microsoft IaaSAntimalware extension should be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"},{"properties":{"displayName":"Microsoft Managed Control 1236 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57","type":"Microsoft.Authorization/policyDefinitions","name":"9ba3ed84-c768-4e18-b87c-34ef1aff1b57"},{"properties":{"displayName":"Microsoft Managed Control 1525 - Personnel Transfer","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66","type":"Microsoft.Authorization/policyDefinitions","name":"9be2f688-7a61-45e3-8230-e1ec93893f66"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"},{"properties":{"displayName":"Microsoft Managed Control 1138 - Audit Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4","type":"Microsoft.Authorization/policyDefinitions","name":"9c284fc0-268a-4f29-af44-3c126674edb4"},{"properties":{"displayName":"Microsoft Managed Control 1135 - Non-Repudiation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04","type":"Microsoft.Authorization/policyDefinitions","name":"9c308b6b-2429-4b97-86cf-081b8e737b04"},{"properties":{"displayName":"Microsoft Managed Control 1489 - Location Of Information System Components","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91","type":"Microsoft.Authorization/policyDefinitions","name":"9d0a794f-1444-4c96-9534-e35fc8c39c91"},{"properties":{"displayName":"Ensure that ''Java version'' is the latest, if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"},{"properties":{"displayName":"Microsoft Managed Control 1322 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4","type":"Microsoft.Authorization/policyDefinitions","name":"9d1d971e-467e-4278-9633-c74c3d4fecc4"},{"properties":{"displayName":"Microsoft Managed Control 1233 - Configuration Management Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57","type":"Microsoft.Authorization/policyDefinitions","name":"9d79001f-95fe-45d0-8736-f217e78c1f57"},{"properties":{"displayName":"Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d","type":"Microsoft.Authorization/policyDefinitions","name":"9d9166a8-1722-4b8f-847c-2cf3f2618b3d"},{"properties":{"displayName":"Microsoft Managed Control 1259 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208","type":"Microsoft.Authorization/policyDefinitions","name":"9d9e18f7-bad9-4d30-8806-a0c9d5e26208"},{"properties":{"displayName":"Access through Internet facing endpoint should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure Security center has identified some of your Network Security Groups'' inbound rules to be too permissive. Inbound rules should not allow access from ''Any'' or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"},{"properties":{"displayName":"Microsoft Managed Control 1500 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92","type":"Microsoft.Authorization/policyDefinitions","name":"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92"},{"properties":{"displayName":"Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b","type":"Microsoft.Authorization/policyDefinitions","name":"9df4277e-8c88-4d5c-9b1a-541d53d15d7b"},{"properties":{"displayName":"Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62","type":"Microsoft.Authorization/policyDefinitions","name":"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62"},{"properties":{"displayName":"Microsoft Managed Control 1490 - Security Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b","type":"Microsoft.Authorization/policyDefinitions","name":"9e61da80-0957-4892-b70c-609d5eaafb6b"},{"properties":{"displayName":"Microsoft Managed Control 1504 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd","type":"Microsoft.Authorization/policyDefinitions","name":"9e7c35d0-12d4-4e0c-80a2-8a352537aefd"},{"properties":{"displayName":"Microsoft Managed Control 1609 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f","type":"Microsoft.Authorization/policyDefinitions","name":"9e93fa71-42ac-41a7-b177-efbfdc53c69f"},{"properties":{"displayName":"Append tag and its value from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"},{"properties":{"displayName":"Microsoft Managed Control 1494 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09","type":"Microsoft.Authorization/policyDefinitions","name":"9ed09d84-3311-4853-8b67-2b55dfa33d09"},{"properties":{"displayName":"Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7","type":"Microsoft.Authorization/policyDefinitions","name":"9ed5ca00-0e43-434e-a018-7aab91461ba7"},{"properties":{"displayName":"Microsoft Managed Control 1187 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85","type":"Microsoft.Authorization/policyDefinitions","name":"9f2b2f9e-4ba6-46c3-907f-66db138b6f85"},{"properties":{"displayName":"Show audit results from Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"},{"properties":{"displayName":"Microsoft Managed Control 1354 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796","type":"Microsoft.Authorization/policyDefinitions","name":"9fd92c17-163a-4511-bb96-bbb476449796"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This @@ -3957,42 +4235,44 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"},{"properties":{"displayName":"Microsoft Managed Control 1145 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28","type":"Microsoft.Authorization/policyDefinitions","name":"a0724970-9c75-4a64-a225-a28002953f28"},{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ''tags'' and ''location'' will be affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The list of resource types that can be deployed.","displayName":"Allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"},{"properties":{"displayName":"Microsoft Managed Control 1245 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516","type":"Microsoft.Authorization/policyDefinitions","name":"a0e45314-57b8-4623-80cd-bbb561f59516"},{"properties":{"displayName":"Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa","type":"Microsoft.Authorization/policyDefinitions","name":"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa"},{"properties":{"displayName":"Security Center standard pricing tier should be selected","policyType":"BuiltIn","mode":"All","description":"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"},{"properties":{"displayName":"Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972","type":"Microsoft.Authorization/policyDefinitions","name":"a18adb5b-1db6-4a5b-901a-7d3797d12972"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -4011,111 +4291,114 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"},{"properties":{"displayName":"Microsoft Managed Control 1612 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5","type":"Microsoft.Authorization/policyDefinitions","name":"a2037b3d-8b04-4171-8610-e6d4f1d08db5"},{"properties":{"displayName":"Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Configuration Management control","metadata":{"category":"Regulatory + this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c","type":"Microsoft.Authorization/policyDefinitions","name":"a20d2eaa-88e2-4907-96a2-8f3a05797e5c"},{"properties":{"displayName":"Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737","type":"Microsoft.Authorization/policyDefinitions","name":"a23d9d53-ad2e-45ef-afd5-e6d10900a737"},{"properties":{"displayName":"Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b","type":"Microsoft.Authorization/policyDefinitions","name":"a2567a23-d1c3-4783-99f3-d471302a4d6b"},{"properties":{"displayName":"Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be","type":"Microsoft.Authorization/policyDefinitions","name":"a2596a9f-e59f-420d-9625-6e0b536348be"},{"properties":{"displayName":"Microsoft Managed Control 1059 - Remote Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4","type":"Microsoft.Authorization/policyDefinitions","name":"a29b5d9f-4953-4afe-b560-203a6410b6b4"},{"properties":{"displayName":"Show audit results from Windows VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"},{"properties":{"displayName":"Microsoft Managed Control 1532 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52","type":"Microsoft.Authorization/policyDefinitions","name":"a2c66299-9017-4d95-8040-8bdbf7901d52"},{"properties":{"displayName":"Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac","type":"Microsoft.Authorization/policyDefinitions","name":"a2cdf6b8-9505-4619-b579-309ba72037ac"},{"properties":{"displayName":"Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab","type":"Microsoft.Authorization/policyDefinitions","name":"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab"},{"properties":{"displayName":"Microsoft Managed Control 1238 - User-Installed Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1","type":"Microsoft.Authorization/policyDefinitions","name":"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1"},{"properties":{"displayName":"Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77","type":"Microsoft.Authorization/policyDefinitions","name":"a450eba6-2efc-4a00-846a-5804a93c6b77"},{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"},{"properties":{"displayName":"Web Application should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"},{"properties":{"displayName":"Microsoft Managed Control 1617 - Application Partitioning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3","type":"Microsoft.Authorization/policyDefinitions","name":"a631d8f5-eb81-4f9d-9ee1-74431371e4a3"},{"properties":{"displayName":"Auditing - should be enabled on advanced data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"},{"properties":{"displayName":"The Log Analytics agent should be installed on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"},{"properties":{"displayName":"Microsoft Managed Control 1431 - Media Storage","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4","type":"Microsoft.Authorization/policyDefinitions","name":"a7173c52-2b99-4696-a576-63dd5f970ef4"},{"properties":{"displayName":"Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147","type":"Microsoft.Authorization/policyDefinitions","name":"a7211477-c970-446b-b4af-062f37461147"},{"properties":{"displayName":"Microsoft Managed Control 1027 - Access Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c","type":"Microsoft.Authorization/policyDefinitions","name":"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c"},{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"},{"properties":{"displayName":"Microsoft Managed Control 1570 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a","type":"Microsoft.Authorization/policyDefinitions","name":"a7fcf38d-bb09-4600-be7d-825046eb162a"},{"properties":{"displayName":"Require encryption on Data Lake Store accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data + policy ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"},{"properties":{"displayName":"Microsoft Managed Control 1295 - Information System Recovery And Reconstitution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated] + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9","type":"Microsoft.Authorization/policyDefinitions","name":"a895fbdb-204d-4302-9689-0a59dc42b3d9"},{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"},{"properties":{"displayName":"Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491","type":"Microsoft.Authorization/policyDefinitions","name":"a9172e76-7f56-46e9-93bf-75d69bdb5491"},{"properties":{"displayName":"Microsoft Managed Control 1400 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424","type":"Microsoft.Authorization/policyDefinitions","name":"a96d5098-a604-4cdf-90b1-ef6449a27424"},{"properties":{"displayName":"Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e","type":"Microsoft.Authorization/policyDefinitions","name":"a96f743d-a195-420d-983a-08aa06bc441e"},{"properties":{"displayName":"Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e","type":"Microsoft.Authorization/policyDefinitions","name":"a9a08d1c-09b1-48f1-90ea-029bbdf7111e"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This @@ -4123,172 +4406,185 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"},{"properties":{"displayName":"Deploy network watcher when virtual networks are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which - will be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + will be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"},{"properties":{"displayName":"Microsoft Managed Control 1511 - Personnel Screening","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8","type":"Microsoft.Authorization/policyDefinitions","name":"a9eae324-d327-4539-9293-b48e122465f8"},{"properties":{"displayName":"MFA should be enabled on accounts with owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"},{"properties":{"displayName":"Microsoft Managed Control 1539 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0","type":"Microsoft.Authorization/policyDefinitions","name":"aabb155f-e7a5-4896-a767-e918bfae2ee0"},{"properties":{"displayName":"Microsoft Managed Control 1006 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8","type":"Microsoft.Authorization/policyDefinitions","name":"aae8d54c-4bce-4c04-b3aa-5b65b67caac8"},{"properties":{"displayName":"Microsoft Managed Control 1461 - Monitoring Physical Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064","type":"Microsoft.Authorization/policyDefinitions","name":"aafef03e-fea8-470b-88fa-54bd1fcd7064"},{"properties":{"displayName":"Microsoft Managed Control 1073 - Access Control For Mobile Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c","type":"Microsoft.Authorization/policyDefinitions","name":"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c"},{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"},{"properties":{"displayName":"[Deprecated]: Automatic provisioning of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"},{"properties":{"displayName":"Microsoft Managed Control 1323 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc","type":"Microsoft.Authorization/policyDefinitions","name":"abe8f70b-680f-470c-9b86-a7edfb664ecc"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"},{"properties":{"displayName":"Advanced data security should be enabled on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Microsoft + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"},{"properties":{"displayName":"Enable + Azure Security Center on your subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"},{"properties":{"displayName":"Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d","type":"Microsoft.Authorization/policyDefinitions","name":"ac43352f-df83-4694-8738-cfce549fd08d"},{"properties":{"displayName":"[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"},{"properties":{"displayName":"Microsoft Managed Control 1569 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34","type":"Microsoft.Authorization/policyDefinitions","name":"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34"},{"properties":{"displayName":"Microsoft Managed Control 1454 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229","type":"Microsoft.Authorization/policyDefinitions","name":"ad58985d-ab32-4f99-8bd3-b7e134c90229"},{"properties":{"displayName":"Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95","type":"Microsoft.Authorization/policyDefinitions","name":"adfe020d-0a97-45f4-a39c-696ef99f3a95"},{"properties":{"displayName":"Microsoft Managed Control 1272 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8","type":"Microsoft.Authorization/policyDefinitions","name":"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8"},{"properties":{"displayName":"SQL Server should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"},{"properties":{"displayName":"Microsoft Managed Control 1598 - Developer Configuration Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3","type":"Microsoft.Authorization/policyDefinitions","name":"ae7e1f5e-2d63-4b38-91ef-bce14151cce3"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"},{"properties":{"displayName":"Microsoft Managed Control 1413 - Nonlocal Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d","type":"Microsoft.Authorization/policyDefinitions","name":"aeedddb6-6bc0-42d5-809b-80048033419d"},{"properties":{"displayName":"Microsoft Managed Control 1710 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e","type":"Microsoft.Authorization/policyDefinitions","name":"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e"},{"properties":{"displayName":"Monitor missing Endpoint Protection in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated] + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"},{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL servers which don''t have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"},{"properties":{"displayName":"Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this System and Communications Protection control","metadata":{"category":"Regulatory + this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c","type":"Microsoft.Authorization/policyDefinitions","name":"afbd0baf-ff1a-4447-a86f-088a97347c0c"},{"properties":{"displayName":"Microsoft Managed Control 1725 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc","type":"Microsoft.Authorization/policyDefinitions","name":"afc234b5-456b-4aa5-b3e2-ce89108124cc"},{"properties":{"displayName":"Activity log should be retained for at least one year","policyType":"BuiltIn","mode":"All","description":"This policy audits the activity log if the retention is not set for 365 days or - forever (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + forever (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"},{"properties":{"displayName":"Microsoft Managed Control 1429 - Media Marking","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80","type":"Microsoft.Authorization/policyDefinitions","name":"b07c9b24-729e-4e85-95fc-f224d2d08a80"},{"properties":{"displayName":"Microsoft Managed Control 1711 - Security Function Verification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde","type":"Microsoft.Authorization/policyDefinitions","name":"b083a535-a66a-41ec-ba7f-f9498bf67cde"},{"properties":{"displayName":"Just-In-Time network access control should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"},{"properties":{"displayName":"Microsoft Managed Control 1571 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905","type":"Microsoft.Authorization/policyDefinitions","name":"b11c985b-f2cd-4bd7-85f4-b52426edf905"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"},{"properties":{"displayName":"Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1","type":"Microsoft.Authorization/policyDefinitions","name":"b19454ca-0d70-42c0-acf5-ea1c1e5726d1"},{"properties":{"displayName":"Microsoft Managed Control 1091 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d","type":"Microsoft.Authorization/policyDefinitions","name":"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d"},{"properties":{"displayName":"Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Access Control control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft + this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d","type":"Microsoft.Authorization/policyDefinitions","name":"b25faf85-8a16-4f28-8e15-d05c0072d64d"},{"properties":{"displayName":"Microsoft Managed Control 1009 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a","type":"Microsoft.Authorization/policyDefinitions","name":"b26f8610-e615-47c2-abd6-c00b2b0b503a"},{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"},{"properties":{"displayName":"Microsoft Managed Control 1234 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b","type":"Microsoft.Authorization/policyDefinitions","name":"b293f881-361c-47ed-b997-bc4e2296bc0b"},{"properties":{"displayName":"Microsoft Managed Control 1107 - Content Of Audit Records","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904","type":"Microsoft.Authorization/policyDefinitions","name":"b29ed931-8e21-4779-8458-27916122a904"},{"properties":{"displayName":"Deploy prerequisites to audit Windows web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This policy @@ -4297,10 +4593,10 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4315,80 +4611,85 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"},{"properties":{"displayName":"Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b","type":"Microsoft.Authorization/policyDefinitions","name":"b3d8d15b-627a-4219-8c96-4d16f788888b"},{"properties":{"displayName":"Microsoft Managed Control 1380 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827","type":"Microsoft.Authorization/policyDefinitions","name":"b4319b7e-ea8d-42ff-8a67-ccd462972827"},{"properties":{"displayName":"Diagnostic logs in Search services should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"},{"properties":{"displayName":"Microsoft Managed Control 1172 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c","type":"Microsoft.Authorization/policyDefinitions","name":"b43e946e-a4c8-4b92-8201-4a39331db43c"},{"properties":{"displayName":"Microsoft Managed Control 1672 - Flaw Remediation | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301","type":"Microsoft.Authorization/policyDefinitions","name":"b45fe972-904e-45a4-ac20-673ba027a301"},{"properties":{"displayName":"Microsoft Managed Control 1131 - Protection Of Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962","type":"Microsoft.Authorization/policyDefinitions","name":"b472a17e-c2bc-493f-b50b-42d55a346962"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for an API App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A + Use of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"},{"properties":{"displayName":"A security contact phone number should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"},{"properties":{"displayName":"Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1","type":"Microsoft.Authorization/policyDefinitions","name":"b4f9b47a-2116-4e6f-88db-4edbf22753f1"},{"properties":{"displayName":"Service Fabric clusters should only use Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"},{"properties":{"displayName":"Deploy Advanced Threat Protection for Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"},{"properties":{"displayName":"Diagnostic logs in App Services should be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"},{"properties":{"displayName":"Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d","type":"Microsoft.Authorization/policyDefinitions","name":"b6747bf9-2b97-45b8-b162-3c8becb9937d"},{"properties":{"displayName":"Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08"},{"properties":{"displayName":"Microsoft Managed Control 1568 - Acquisition Process","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6","type":"Microsoft.Authorization/policyDefinitions","name":"b6a8eae8-9854-495a-ac82-d2cd3eac02a6"},{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"},{"properties":{"displayName":"Microsoft Managed Control 1608 - Supply Chain Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f","type":"Microsoft.Authorization/policyDefinitions","name":"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f"},{"properties":{"displayName":"Microsoft Managed Control 1401 - Controlled Maintenance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847","type":"Microsoft.Authorization/policyDefinitions","name":"b78ee928-e3c1-4569-ad97-9f8c4b629847"},{"properties":{"displayName":"API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -4397,10 +4698,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4415,11 +4716,12 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"},{"properties":{"displayName":"Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -4430,21 +4732,27 @@ interactions: - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"Microsoft + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"},{"properties":{"displayName":"An + activity log alert should exist for specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"},{"properties":{"displayName":"Microsoft Managed Control 1257 - Contingency Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543","type":"Microsoft.Authorization/policyDefinitions","name":"b958b241-4245-4bd6-bd2d-b8f0779fb543"},{"properties":{"displayName":"Microsoft Managed Control 1186 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d","type":"Microsoft.Authorization/policyDefinitions","name":"b95ba3bd-4ded-49ea-9d10-c6f4b680813d"},{"properties":{"displayName":"Microsoft Managed Control 1447 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a","type":"Microsoft.Authorization/policyDefinitions","name":"b9783a99-98fe-4a95-873f-29613309fe9a"},{"properties":{"displayName":"Microsoft Managed Control 1625 - Boundary Protection | Access Points","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605","type":"Microsoft.Authorization/policyDefinitions","name":"b9b66a4d-70a1-4b47-8fa1-289cec68c605"},{"properties":{"displayName":"Microsoft Managed Control 1610 - Development Process, Standards, And Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491","type":"Microsoft.Authorization/policyDefinitions","name":"b9f3fb54-4222-46a1-a308-4874061f8491"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This @@ -4452,51 +4760,51 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"},{"properties":{"displayName":"Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca","type":"Microsoft.Authorization/policyDefinitions","name":"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca"},{"properties":{"displayName":"Microsoft Managed Control 1726 - Information Handling And Retention","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4","type":"Microsoft.Authorization/policyDefinitions","name":"baff1279-05e0-4463-9a70-8ba5de4c7aa4"},{"properties":{"displayName":"Microsoft Managed Control 1166 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e","type":"Microsoft.Authorization/policyDefinitions","name":"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e"},{"properties":{"displayName":"Microsoft Managed Control 1188 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e","type":"Microsoft.Authorization/policyDefinitions","name":"bb20548a-c926-4e4d-855c-bcddc6faf95e"},{"properties":{"displayName":"Microsoft Managed Control 1533 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa","type":"Microsoft.Authorization/policyDefinitions","name":"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies whether to disconnect users who are connected to the local computer outside their user account''s valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft network client: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', @@ -4506,25 +4814,35 @@ interactions: '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"},{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"},{"properties":{"displayName":"Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09","type":"Microsoft.Authorization/policyDefinitions","name":"bc34667f-397e-4a65-9b72-d0358f0b6b09"},{"properties":{"displayName":"Microsoft Managed Control 1095 - Role-Based Security Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6","type":"Microsoft.Authorization/policyDefinitions","name":"bc3f6f7a-057b-433e-9834-e8c97b0194f6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -4532,28 +4850,29 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"},{"properties":{"displayName":"Microsoft Managed Control 1427 - Media Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31","type":"Microsoft.Authorization/policyDefinitions","name":"bc90e44f-d83f-4bdf-900f-3d5eb4111b31"},{"properties":{"displayName":"Microsoft Managed Control 1351 - Incident Response Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd","type":"Microsoft.Authorization/policyDefinitions","name":"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd"},{"properties":{"displayName":"Microsoft Managed Control 1050 - Concurrent Session Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f","type":"Microsoft.Authorization/policyDefinitions","name":"bd20184c-b4ec-4ce5-8db6-6e86352d183f"},{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling IP forwarding on a virtual machine''s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -4561,20 +4880,20 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"},{"properties":{"displayName":"Microsoft Managed Control 1360 - Incident Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e","type":"Microsoft.Authorization/policyDefinitions","name":"be5b05e7-0b82-4ebc-9eda-25e447b1a41e"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -4587,57 +4906,63 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"},{"properties":{"displayName":"Microsoft Managed Control 1152 - System Interconnections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b","type":"Microsoft.Authorization/policyDefinitions","name":"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b"},{"properties":{"displayName":"Geo-redundant storage should be enabled for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"},{"properties":{"displayName":"Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f","type":"Microsoft.Authorization/policyDefinitions","name":"bf296b8c-f391-4ea4-9198-be3c9d39dd1f"},{"properties":{"displayName":"Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd","type":"Microsoft.Authorization/policyDefinitions","name":"bf6850fe-abba-468e-9ef4-d09ec7d983cd"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Logon-Logoff''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"},{"properties":{"displayName":"Only approved VM extensions should be installed","policyType":"BuiltIn","mode":"Indexed","description":"This - policy governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + policy governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"},{"properties":{"displayName":"Microsoft Managed Control 1124 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4","type":"Microsoft.Authorization/policyDefinitions","name":"c10152dd-78f8-4335-ae2d-ad92cc028da4"},{"properties":{"displayName":"Microsoft Managed Control 1676 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b","type":"Microsoft.Authorization/policyDefinitions","name":"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b"},{"properties":{"displayName":"Microsoft Managed Control 1719 - Spam Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a","type":"Microsoft.Authorization/policyDefinitions","name":"c13da9b4-fe14-4fe2-853a-5997c9d4215a"},{"properties":{"displayName":"Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c","type":"Microsoft.Authorization/policyDefinitions","name":"c158eb1c-ae7e-4081-8057-d527140c4e0c"},{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources + provider ID","description":"Resource ID of the Custom provider to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -4649,42 +4974,49 @@ interactions: uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"},{"properties":{"displayName":"Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2","type":"Microsoft.Authorization/policyDefinitions","name":"c171b095-7756-41de-8644-a062a96043f2"},{"properties":{"displayName":"Microsoft Managed Control 1004 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835","type":"Microsoft.Authorization/policyDefinitions","name":"c17822dc-736f-4eb4-a97d-e6be662ff835"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"},{"properties":{"displayName":"Microsoft Managed Control 1503 - Information Security Architecture","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d","type":"Microsoft.Authorization/policyDefinitions","name":"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) @@ -4737,7 +5069,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -4751,67 +5083,79 @@ interactions: should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and ''Running''. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"},{"properties":{"displayName":"Ensure that ''.Net Framework'' version is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"},{"properties":{"displayName":"Microsoft Managed Control 1176 - Baseline Configuration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd","type":"Microsoft.Authorization/policyDefinitions","name":"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd"},{"properties":{"displayName":"Microsoft Managed Control 1389 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062","type":"Microsoft.Authorization/policyDefinitions","name":"c39e6fda-ae70-4891-a739-be7bba6d1062"},{"properties":{"displayName":"Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0","type":"Microsoft.Authorization/policyDefinitions","name":"c3b65b63-09ec-4cb5-8028-7dd324d10eb0"},{"properties":{"displayName":"System updates on virtual machine scale sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"},{"properties":{"displayName":"[Preview]: Show audit results from Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"},{"properties":{"displayName":"Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6","type":"Microsoft.Authorization/policyDefinitions","name":"c40f31a7-81e1-4130-99e5-a02ceea2a1d6"},{"properties":{"displayName":"Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290","type":"Microsoft.Authorization/policyDefinitions","name":"c416970d-b12b-49eb-8af4-fb144cd7c290"},{"properties":{"displayName":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows virtual machine not configured with automatic update of - Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"},{"properties":{"displayName":"[Preview]: Container Registry should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"},{"properties":{"displayName":"Microsoft Managed Control 1235 - Software Usage Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46","type":"Microsoft.Authorization/policyDefinitions","name":"c49c610b-ece4-44b3-988c-2172b70d6e46"},{"properties":{"displayName":"Microsoft Managed Control 1173 - Internal System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5","type":"Microsoft.Authorization/policyDefinitions","name":"c4aff9e7-2e60-46fa-86be-506b79033fc5"},{"properties":{"displayName":"Managed identity should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Use - a managed identity for enhanced authentication security","metadata":{"category":"App + a managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Microsoft + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"},{"properties":{"displayName":"Authentication + should be enabled on your API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"},{"properties":{"displayName":"Microsoft Managed Control 1600 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"Microsoft + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6","type":"Microsoft.Authorization/policyDefinitions","name":"c53f3123-d233-44a7-930b-f40d3bfeb7d6"},{"properties":{"displayName":"An + activity log alert should exist for specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"},{"properties":{"displayName":"Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2","type":"Microsoft.Authorization/policyDefinitions","name":"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -4819,28 +5163,28 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', @@ -4854,39 +5198,45 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"},{"properties":{"displayName":"Microsoft Managed Control 1670 - Flaw Remediation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c","type":"Microsoft.Authorization/policyDefinitions","name":"c6108469-57ee-4666-af7e-79ba61c7ae0c"},{"properties":{"displayName":"Microsoft Managed Control 1190 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892","type":"Microsoft.Authorization/policyDefinitions","name":"c66a3d1e-465b-4f28-9da5-aef701b59892"},{"properties":{"displayName":"Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3","type":"Microsoft.Authorization/policyDefinitions","name":"c69b870e-857b-458b-af02-bb234f7a00d3"},{"properties":{"displayName":"Microsoft Managed Control 1125 - Audit Reduction And Report Generation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10","type":"Microsoft.Authorization/policyDefinitions","name":"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10"},{"properties":{"displayName":"Microsoft Managed Control 1619 - Information In Shared Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1","type":"Microsoft.Authorization/policyDefinitions","name":"c722e569-cb52-45f3-a643-836547d016e1"},{"properties":{"displayName":"Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Microsoft + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1","type":"Microsoft.Authorization/policyDefinitions","name":"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1"},{"properties":{"displayName":"Authentication + should be enabled on your Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"},{"properties":{"displayName":"Microsoft Managed Control 1353 - Incident Response Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748","type":"Microsoft.Authorization/policyDefinitions","name":"c785ad59-f78f-44ad-9a7f-d1202318c748"},{"properties":{"displayName":"Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -4900,11 +5250,11 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5","type":"Microsoft.Authorization/policyDefinitions","name":"c84e5349-db6d-4769-805e-e14037dab9b5"},{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"},{"properties":{"displayName":"Microsoft Managed Control 1470 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef","type":"Microsoft.Authorization/policyDefinitions","name":"c89ba09f-2e0f-44d0-8095-65b05bd151ef"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"All","description":"This @@ -4912,32 +5262,33 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"},{"properties":{"displayName":"Microsoft Managed Control 1018 - Account Management | Role-Based Schemes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f","type":"Microsoft.Authorization/policyDefinitions","name":"c9121abf-e698-4ee9-b1cf-71ee528ff07f"},{"properties":{"displayName":"Diagnostic logs in Data Lake Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs with a pending reboot","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -4948,7 +5299,7 @@ interactions: Diagnostic Settings for Network Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -4964,30 +5315,31 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"},{"properties":{"displayName":"Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516","type":"Microsoft.Authorization/policyDefinitions","name":"ca94b046-45e2-444f-a862-dc8ce262a516"},{"properties":{"displayName":"Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec","type":"Microsoft.Authorization/policyDefinitions","name":"ca9a4469-d6df-4ab2-a42f-1213c396f0ec"},{"properties":{"displayName":"Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff","type":"Microsoft.Authorization/policyDefinitions","name":"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff"},{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"},{"properties":{"displayName":"Microsoft Managed Control 1486 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5","type":"Microsoft.Authorization/policyDefinitions","name":"cb790345-a51f-43de-934e-98dbfaf9dca5"},{"properties":{"displayName":"Microsoft Managed Control 1167 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300","type":"Microsoft.Authorization/policyDefinitions","name":"cbb2be76-4891-430b-95a7-ca0b0a3d1300"},{"properties":{"displayName":"Microsoft Managed Control 1374 - Incident Response Assistance","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249","type":"Microsoft.Authorization/policyDefinitions","name":"cc5c8616-52ef-4e5e-8000-491634ed9249"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain only the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -4995,88 +5347,95 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"},{"properties":{"displayName":"[Preview]: Sensitive data in your SQL databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"},{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"},{"properties":{"displayName":"Microsoft Managed Control 1443 - Media Use","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed","type":"Microsoft.Authorization/policyDefinitions","name":"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed"},{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"},{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"},{"properties":{"displayName":"Microsoft Managed Control 1582 - Information System Documentation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5","type":"Microsoft.Authorization/policyDefinitions","name":"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"},{"properties":{"displayName":"Microsoft Managed Control 1104 - Audit Events","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f","type":"Microsoft.Authorization/policyDefinitions","name":"cdd8d244-18b2-4306-a1d1-df175ae0935f"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"},{"properties":{"displayName":"Microsoft Managed Control 1209 - Configuration Settings","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d","type":"Microsoft.Authorization/policyDefinitions","name":"ce669c31-9103-4552-ae9c-cdef4e03580d"},{"properties":{"displayName":"Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958","type":"Microsoft.Authorization/policyDefinitions","name":"cf3b3293-667a-445e-a722-fa0b0afc0958"},{"properties":{"displayName":"Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0","type":"Microsoft.Authorization/policyDefinitions","name":"cf3e4836-f19e-47eb-a8cd-c3ca150452c0"},{"properties":{"displayName":"Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic + this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283","type":"Microsoft.Authorization/policyDefinitions","name":"cf55fc87-48e1-4676-a2f8-d9a8cf993283"},{"properties":{"displayName":"Diagnostic logs in Key Vault should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"1.0.0","category":"Key + Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"},{"properties":{"displayName":"Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836","type":"Microsoft.Authorization/policyDefinitions","name":"d03516cf-0293-489f-9b32-a18f2a79f836"},{"properties":{"displayName":"Microsoft Managed Control 1724 - Error Handling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6","type":"Microsoft.Authorization/policyDefinitions","name":"d07594d1-0307-4c08-94db-5d71ff31f0f6"},{"properties":{"displayName":"Microsoft Managed Control 1084 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c","type":"Microsoft.Authorization/policyDefinitions","name":"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c"},{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -5087,30 +5446,32 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"},{"properties":{"displayName":"Microsoft Managed Control 1620 - Denial Of Service Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c","type":"Microsoft.Authorization/policyDefinitions","name":"d17c826b-1dec-43e1-a984-7b71c446649c"},{"properties":{"displayName":"Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6","type":"Microsoft.Authorization/policyDefinitions","name":"d1880188-e51a-4772-b2ab-68f5e8bd27f6"},{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"},{"properties":{"displayName":"Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2","type":"Microsoft.Authorization/policyDefinitions","name":"d1e1d65c-1013-4484-bd54-991332e6a0d2"},{"properties":{"displayName":"Microsoft Managed Control 1721 - Spam Protection | Central Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a","type":"Microsoft.Authorization/policyDefinitions","name":"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a"},{"properties":{"displayName":"Microsoft Managed Control 1106 - Audit Events | Reviews And Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8","type":"Microsoft.Authorization/policyDefinitions","name":"d2b4feae-61ab-423f-a4c5-0e38ac4464d8"},{"properties":{"displayName":"Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1","type":"Microsoft.Authorization/policyDefinitions","name":"d3531453-b869-4606-9122-29c1cd6e7ed1"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5120,8 +5481,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5131,33 +5492,33 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a","type":"Microsoft.Authorization/policyDefinitions","name":"d38b4c26-9d2e-47d7-aefe-18d859a8706a"},{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"},{"properties":{"displayName":"Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24","type":"Microsoft.Authorization/policyDefinitions","name":"d39d4f68-7346-4133-8841-15318a714a24"},{"properties":{"displayName":"Microsoft Managed Control 1249 - Contingency Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2","type":"Microsoft.Authorization/policyDefinitions","name":"d3bf4251-0818-42db-950b-afd5b25a51c2"},{"properties":{"displayName":"Microsoft Managed Control 1562 - Allocation Of Resources","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef","type":"Microsoft.Authorization/policyDefinitions","name":"d4142013-7964-4163-a313-a900301c2cef"},{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"},{"properties":{"displayName":"Microsoft Managed Control 1383 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9","type":"Microsoft.Authorization/policyDefinitions","name":"d4558451-e16a-4d2d-a066-fe12a6282bb9"},{"properties":{"displayName":"Microsoft Managed Control 1112 - Response To Audit Processing Failures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0","type":"Microsoft.Authorization/policyDefinitions","name":"d530aad8-4ee2-45f4-b234-c061dae683c0"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -5170,57 +5531,57 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03","type":"Microsoft.Authorization/policyDefinitions","name":"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"},{"properties":{"displayName":"Microsoft Managed Control 1585 - Security Engineering Principles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55","type":"Microsoft.Authorization/policyDefinitions","name":"d57f8732-5cdc-4cda-8d27-ab148e1f3a55"},{"properties":{"displayName":"Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220","type":"Microsoft.Authorization/policyDefinitions","name":"d61880dc-6e38-4f2a-a30c-3406a98f8220"},{"properties":{"displayName":"Microsoft Managed Control 1150 - Security Assessments | External Organizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb","type":"Microsoft.Authorization/policyDefinitions","name":"d630429d-e763-40b1-8fba-d20ba7314afb"},{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"},{"properties":{"displayName":"Microsoft Managed Control 1549 - Vulnerability Scanning","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a","type":"Microsoft.Authorization/policyDefinitions","name":"d6976a08-d969-4df2-bb38-29556c2eb48a"},{"properties":{"displayName":"Microsoft Managed Control 1473 - Emergency Power","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71","type":"Microsoft.Authorization/policyDefinitions","name":"d7047705-d719-46a7-8bb0-76ad233eba71"},{"properties":{"displayName":"Microsoft Managed Control 1529 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c","type":"Microsoft.Authorization/policyDefinitions","name":"d74fdc92-1cb8-4a34-9978-8556425cd14c"},{"properties":{"displayName":"Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4","type":"Microsoft.Authorization/policyDefinitions","name":"d77fd943-6ba6-4a21-ba07-22b03e347cc4"},{"properties":{"displayName":"Show audit results from Windows Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"},{"properties":{"displayName":"Microsoft Managed Control 1016 - Account Management | Automated Audit Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238","type":"Microsoft.Authorization/policyDefinitions","name":"d8b43277-512e-40c3-ab00-14b3b6e72238"},{"properties":{"displayName":"Microsoft Managed Control 1488 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2","type":"Microsoft.Authorization/policyDefinitions","name":"d8ef30eb-a44f-47af-8524-ac19a36d41d2"},{"properties":{"displayName":"Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f","type":"Microsoft.Authorization/policyDefinitions","name":"d922484a-8cfc-4a6b-95a4-77d6a685407f"},{"properties":{"displayName":"Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada","type":"Microsoft.Authorization/policyDefinitions","name":"da3bfb53-9c46-4010-b3db-a7ba1296dada"},{"properties":{"displayName":"Microsoft Managed Control 1516 - Personnel Termination","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed","type":"Microsoft.Authorization/policyDefinitions","name":"da3cd269-156f-435b-b472-c3af34c032ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Batch Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5234,41 +5595,43 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Batch/batchAccounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ServiceLog","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7","type":"Microsoft.Authorization/policyDefinitions","name":"db51110f-0865-4a6e-b274-e2e07a5b2cd7"},{"properties":{"displayName":"Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa","type":"Microsoft.Authorization/policyDefinitions","name":"dc43e829-3d50-4a0a-aa0f-428d551862aa"},{"properties":{"displayName":"Microsoft Managed Control 1439 - Media Sanitization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45","type":"Microsoft.Authorization/policyDefinitions","name":"dce72873-c5f1-47c3-9b4f-6b8207fd5a45"},{"properties":{"displayName":"Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Contingency Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: + this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19","type":"Microsoft.Authorization/policyDefinitions","name":"dd280d4b-50a1-42fb-a479-ece5878acf19"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"},{"properties":{"displayName":"Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339","type":"Microsoft.Authorization/policyDefinitions","name":"dd469ae0-71a8-4adc-aafc-de6949ca3339"},{"properties":{"displayName":"Microsoft Managed Control 1678 - Malicious Code Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7","type":"Microsoft.Authorization/policyDefinitions","name":"dd533cb0-b416-4be7-8e86-4d154824dfd7"},{"properties":{"displayName":"Microsoft Managed Control 1391 - Information Spillage Response | Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47","type":"Microsoft.Authorization/policyDefinitions","name":"dd6ac1a1-660e-4810-baa8-74e868e2ed47"},{"properties":{"displayName":"Microsoft Managed Control 1146 - Security Assessments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac","type":"Microsoft.Authorization/policyDefinitions","name":"dd83410c-ecb6-4547-8f14-748c3cbdc7ac"},{"properties":{"displayName":"Microsoft Managed Control 1602 - Developer Security Testing And Evaluation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9","type":"Microsoft.Authorization/policyDefinitions","name":"ddae2e97-a449-499f-a1c8-aea4a7e52ec9"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"All","description":"This @@ -5276,43 +5639,49 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"},{"properties":{"displayName":"Microsoft Managed Control 1689 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172","type":"Microsoft.Authorization/policyDefinitions","name":"de901f2f-a01a-4456-97f0-33cda7966172"},{"properties":{"displayName":"Microsoft Managed Control 1528 - Access Agreements","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6","type":"Microsoft.Authorization/policyDefinitions","name":"deb9797c-22f8-40e8-b342-a84003c924e6"},{"properties":{"displayName":"Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844","type":"Microsoft.Authorization/policyDefinitions","name":"dff0b90d-5a6f-491c-b2f8-b90aa402d844"},{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697","type":"Microsoft.Authorization/policyDefinitions","name":"e01598e8-6538-41ed-95e8-8b29746cd697"},{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"},{"properties":{"displayName":"Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91","type":"Microsoft.Authorization/policyDefinitions","name":"e0de232d-02a0-4652-872d-88afb4ae5e91"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5321,9 +5690,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5334,124 +5703,149 @@ interactions: ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615","type":"Microsoft.Authorization/policyDefinitions","name":"e0efc13a-122a-47c5-b817-2ccfe5d12615"},{"properties":{"displayName":"Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec","type":"Microsoft.Authorization/policyDefinitions","name":"e12494fa-b81e-4080-af71-7dbacc2da0ec"},{"properties":{"displayName":"Microsoft Managed Control 1686 - Information System Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5","type":"Microsoft.Authorization/policyDefinitions","name":"e17085c5-0be8-4423-b39b-a52d3d1402e5"},{"properties":{"displayName":"Microsoft Managed Control 1722 - Spam Protection | Automatic Updates","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff","type":"Microsoft.Authorization/policyDefinitions","name":"e1da06bd-25b6-4127-a301-c313d6873fff"},{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"},{"properties":{"displayName":"Microsoft Managed Control 1047 - System Use Notification","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62","type":"Microsoft.Authorization/policyDefinitions","name":"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62"},{"properties":{"displayName":"Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571","type":"Microsoft.Authorization/policyDefinitions","name":"e214e563-1206-4a43-a56b-ac5880c9c571"},{"properties":{"displayName":"Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763","type":"Microsoft.Authorization/policyDefinitions","name":"e29e0915-5c2f-4d09-8806-048b749ad763"},{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, if used to run the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"},{"properties":{"displayName":"[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"not":{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["Centos","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10","type":"Microsoft.Authorization/policyDefinitions","name":"e2dd799a-a932-4e9d-ac17-d473bc3c6c10"},{"properties":{"displayName":"Microsoft Managed Control 1161 - Continuous Monitoring","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a","type":"Microsoft.Authorization/policyDefinitions","name":"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a"},{"properties":{"displayName":"Microsoft Managed Control 1387 - Information Spillage Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c","type":"Microsoft.Authorization/policyDefinitions","name":"e3007185-3857-43a9-8237-06ca94f1084c"},{"properties":{"displayName":"Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26","type":"Microsoft.Authorization/policyDefinitions","name":"e327b072-281d-4f75-9c28-4216e5d72f26"},{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"},{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"[Preview]: + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"},{"properties":{"displayName":"RDP + access from the Internet should be blocked","policyType":"BuiltIn","mode":"All","description":"This + policy audits any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Settings + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"},{"properties":{"displayName":"Microsoft Managed Control 1451 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65","type":"Microsoft.Authorization/policyDefinitions","name":"e3f1e5a3-25c1-4476-8cb6-3955031f8e65"},{"properties":{"displayName":"Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105","type":"Microsoft.Authorization/policyDefinitions","name":"e4213689-05e8-4241-9d4e-8dd1cdafd105"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -5459,104 +5853,122 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"},{"properties":{"displayName":"Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6","type":"Microsoft.Authorization/policyDefinitions","name":"e51ff84b-e5ea-408f-b651-2ecc2933e4c6"},{"properties":{"displayName":"Microsoft Managed Control 1381 - Incident Response Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab","type":"Microsoft.Authorization/policyDefinitions","name":"e5368258-9684-4567-8126-269f34e65eab"},{"properties":{"displayName":"Microsoft Managed Control 1421 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6","type":"Microsoft.Authorization/policyDefinitions","name":"e539caaa-da8c-41b8-9e1e-449851e2f7a6"},{"properties":{"displayName":"Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f","type":"Microsoft.Authorization/policyDefinitions","name":"e54c325e-42a0-4dcf-b105-046e0f6f590f"},{"properties":{"displayName":"Microsoft Managed Control 1023 - Account Management | Usage Conditions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5","type":"Microsoft.Authorization/policyDefinitions","name":"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5"},{"properties":{"displayName":"Allowed locations","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that - use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"},{"properties":{"displayName":"Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48","type":"Microsoft.Authorization/policyDefinitions","name":"e57b98a0-a011-4956-a79d-5d17ed8b8e48"},{"properties":{"displayName":"Microsoft Managed Control 1499 - Rules Of Behavior","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e","type":"Microsoft.Authorization/policyDefinitions","name":"e59671ab-9720-4ee2-9c60-170e8c82251e"},{"properties":{"displayName":"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"},{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"},{"properties":{"displayName":"Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640","type":"Microsoft.Authorization/policyDefinitions","name":"e6e41554-86b5-4537-9f7f-4fc41a1d1640"},{"properties":{"displayName":"Subnets should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"},{"properties":{"displayName":"Microsoft Managed Control 1567 - System Development Life Cycle","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3","type":"Microsoft.Authorization/policyDefinitions","name":"e72edbf6-aa61-436d-a227-0f32b77194b3"},{"properties":{"displayName":"Microsoft Managed Control 1311 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6","type":"Microsoft.Authorization/policyDefinitions","name":"e7568697-0c9e-4ea3-9cec-9e567d14f3c6"},{"properties":{"displayName":"Advanced Threat Protection types should be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"},{"properties":{"displayName":"Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a","type":"Microsoft.Authorization/policyDefinitions","name":"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a"},{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"},{"properties":{"displayName":"Microsoft Managed Control 1273 - Alternate Processing Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65","type":"Microsoft.Authorization/policyDefinitions","name":"e77fcbf2-a1e8-44f1-860e-ed6583761e65"},{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"},{"properties":{"displayName":"Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5","type":"Microsoft.Authorization/policyDefinitions","name":"e7ba2cb3-5675-4468-8b50-8486bdd998a5"},{"properties":{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any MySQL server that is not enforcing SSL connection. Azure @@ -5564,20 +5976,20 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"},{"properties":{"displayName":"Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890","type":"Microsoft.Authorization/policyDefinitions","name":"e80b6812-0bfa-4383-8223-cdd86a46a890"},{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"},{"properties":{"displayName":"Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5591,74 +6003,76 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"Requests","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d","type":"Microsoft.Authorization/policyDefinitions","name":"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"},{"properties":{"displayName":"Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341","type":"Microsoft.Authorization/policyDefinitions","name":"e8f6bddd-6d67-439a-88d4-c5fe39a79341"},{"properties":{"displayName":"Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63","type":"Microsoft.Authorization/policyDefinitions","name":"e901375c-8f01-4ac8-9183-d5312f47fe63"},{"properties":{"displayName":"Microsoft Managed Control 1723 - Information Input Validation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f","type":"Microsoft.Authorization/policyDefinitions","name":"e91927a0-ac1d-44a0-95f8-5185f9dfce9f"},{"properties":{"displayName":"Microsoft Managed Control 1200 - Security Impact Analysis","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff","type":"Microsoft.Authorization/policyDefinitions","name":"e98fe9d7-2ed3-44f8-93b7-24dca69783ff"},{"properties":{"displayName":"Microsoft Managed Control 1487 - Alternate Work Site","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571","type":"Microsoft.Authorization/policyDefinitions","name":"e9c3371d-c30c-4f58-abd9-30b8a8199571"},{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"},{"properties":{"displayName":"Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd","type":"Microsoft.Authorization/policyDefinitions","name":"ea3e8156-89a1-45b1-8bd6-938abc79fdfd"},{"properties":{"displayName":"Inherit a tag from the resource group if missing","policyType":"BuiltIn","mode":"Indexed","description":"Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"},{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"},{"properties":{"displayName":"Microsoft Managed Control 1422 - Maintenance Personnel","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11","type":"Microsoft.Authorization/policyDefinitions","name":"ea556850-838d-4a37-8ce5-9d7642f95e11"},{"properties":{"displayName":"Microsoft Managed Control 1542 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d","type":"Microsoft.Authorization/policyDefinitions","name":"eab340d0-3d55-4826-a0e5-feebfeb0131d"},{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients - that have a valid certificate will be able to reach the app.","metadata":{"category":"App + that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"},{"properties":{"displayName":"Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb","type":"Microsoft.Authorization/policyDefinitions","name":"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb"},{"properties":{"displayName":"Microsoft Managed Control 1321 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37","type":"Microsoft.Authorization/policyDefinitions","name":"eb627cc6-3a9d-46b5-96b7-5fca49178a37"},{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"},{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"},{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"},{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"},{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from @@ -5668,8 +6082,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5677,26 +6091,31 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592","type":"Microsoft.Authorization/policyDefinitions","name":"ec49586f-4939-402d-a29e-6ff502b20592"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Administrative + Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"},{"properties":{"displayName":"Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3","type":"Microsoft.Authorization/policyDefinitions","name":"eca4d7b2-65e2-4e04-95d4-c68606b063c3"},{"properties":{"displayName":"Microsoft Managed Control 1622 - Boundary Protection","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed","type":"Microsoft.Authorization/policyDefinitions","name":"ecf56554-164d-499a-8d00-206b07c27bed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5711,12 +6130,12 @@ interactions: ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled diagnostic settings for '', parameters(''vaultName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"vaultName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2","type":"Microsoft.Authorization/policyDefinitions","name":"ed7c8c13-51e7-49d1-8a43-8490431a0da2"},{"properties":{"displayName":"Microsoft Managed Control 1217 - Least Functionality | Periodic Review","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed","type":"Microsoft.Authorization/policyDefinitions","name":"edea4f20-b02c-4115-be75-86c080e5c0ed"},{"properties":{"displayName":"Deploy Diagnostic Settings for Stream Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5730,25 +6149,25 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingjobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"Execution","enabled":"[parameters(''logsEnabled'')]"},{"category":"Authoring","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca","type":"Microsoft.Authorization/policyDefinitions","name":"edf3780c-3d70-40fe-b17e-ab72013dafca"},{"properties":{"displayName":"Microsoft Managed Control 1189 - Configuration Change Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d","type":"Microsoft.Authorization/policyDefinitions","name":"ee45e02a-4140-416c-82c4-fecfea660b9d"},{"properties":{"displayName":"Microsoft Managed Control 1089 - Security Awareness Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Awareness and Training control","metadata":{"category":"Regulatory + implements this Awareness and Training control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e","type":"Microsoft.Authorization/policyDefinitions","name":"ef080e67-0d1a-4f76-a0c5-fb9b0358485e"},{"properties":{"displayName":"Microsoft Managed Control 1314 - Identifier Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295","type":"Microsoft.Authorization/policyDefinitions","name":"ef0c8530-efd9-45b8-b753-f03083d06295"},{"properties":{"displayName":"Microsoft Managed Control 1128 - Time Stamps","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393","type":"Microsoft.Authorization/policyDefinitions","name":"ef212163-3bc4-4e86-bcf8-705127086393"},{"properties":{"displayName":"Vulnerability assessment should be enabled on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"},{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -5762,23 +6181,23 @@ interactions: or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.EventHub/namespaces/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"ArchiveLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"OperationalLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutoScaleLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"KafkaCoordinatorLogs","enabled":"[parameters(''logsEnabled'')]"},{"category":"EventHubVNetConnectionEvent","enabled":"[parameters(''logsEnabled'')]"},{"category":"CustomerManagedKeyUserLogs","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f","type":"Microsoft.Authorization/policyDefinitions","name":"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"},{"properties":{"displayName":"Microsoft Managed Control 1472 - Emergency Shutoff","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8","type":"Microsoft.Authorization/policyDefinitions","name":"ef869332-921d-4c28-9402-3be73e6e50c8"},{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"},{"properties":{"displayName":"Microsoft Managed Control 1012 - Account Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738","type":"Microsoft.Authorization/policyDefinitions","name":"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738"},{"properties":{"displayName":"Microsoft Managed Control 1358 - Incident Response Testing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Incident Response control","metadata":{"category":"Regulatory + implements this Incident Response control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7","type":"Microsoft.Authorization/policyDefinitions","name":"effbaeef-5bf4-400d-895e-ef8cbc0e64c7"},{"properties":{"displayName":"Ensure that Register with Azure Active Directory is enabled on Function App","policyType":"BuiltIn","mode":"Indexed","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"},{"properties":{"displayName":"Deploy prerequisites to audit Windows VMs that have the specified applications installed","policyType":"BuiltIn","mode":"Indexed","description":"This @@ -5787,11 +6206,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5801,17 +6220,17 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2","type":"Microsoft.Authorization/policyDefinitions","name":"f0633351-c7b2-41ff-9981-508fc08553c2"},{"properties":{"displayName":"Microsoft Managed Control 1531 - Third-Party Personnel Security","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236","type":"Microsoft.Authorization/policyDefinitions","name":"f0643e0c-eee5-4113-8684-c608d05c5236"},{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"},{"properties":{"displayName":"Microsoft Managed Control 1028 - Information Flow Enforcement","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475","type":"Microsoft.Authorization/policyDefinitions","name":"f171df5c-921b-41e9-b12b-50801c315475"},{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -5823,7 +6242,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -5831,33 +6251,38 @@ interactions: toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9","type":"Microsoft.Authorization/policyDefinitions","name":"f19aa1c1-6b91-4c27-ae6a-970279f03db9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Adminstrative + Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"},{"properties":{"displayName":"Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426","type":"Microsoft.Authorization/policyDefinitions","name":"f25bc08f-27cb-43b6-9a23-014d00700426"},{"properties":{"displayName":"Microsoft Managed Control 1457 - Physical Access Control","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305","type":"Microsoft.Authorization/policyDefinitions","name":"f2d9d3e6-8886-4305-865d-639163e5c305"},{"properties":{"displayName":"Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000","type":"Microsoft.Authorization/policyDefinitions","name":"f355d62b-39a8-4ba3-abf7-90f71cb3b000"},{"properties":{"displayName":"Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0","type":"Microsoft.Authorization/policyDefinitions","name":"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0"},{"properties":{"displayName":"Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0","type":"Microsoft.Authorization/policyDefinitions","name":"f3793f5e-937f-44f7-bfba-40647ef3efa0"},{"properties":{"displayName":"Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members","policyType":"BuiltIn","mode":"All","description":"This @@ -5865,38 +6290,39 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"},{"properties":{"displayName":"Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404","type":"Microsoft.Authorization/policyDefinitions","name":"f475ee0e-f560-4c9b-876b-04a77460a404"},{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"},{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"},{"properties":{"displayName":"Microsoft Managed Control 1495 - System Security Plan","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Planning control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: + implements this Planning control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d","type":"Microsoft.Authorization/policyDefinitions","name":"f4978d0e-a596-48e7-9f8c-bbf52554ce8d"},{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines @@ -5904,10 +6330,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -5919,7 +6345,7 @@ interactions: Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -5933,81 +6359,89 @@ interactions: uniqueString(variables(''locationCode''), parameters(''serverName'')))]"},"resources":[{"apiVersion":"2017-05-10","name":"[variables(''createStorageAccountDeploymentName'')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters(''storageAccountsResourceGroup'')]","properties":{"mode":"Incremental","parameters":{"location":{"value":"[parameters(''location'')]"},"storageName":{"value":"[variables(''storageName'')]"}},"templateLink":{"uri":"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json","contentVersion":"1.0.0.0"}}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/auditingSettings","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","storageEndpoint":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountEndPoint.value]","storageAccountAccessKey":"[reference(variables(''createStorageAccountDeploymentName'')).outputs.storageAccountKey.value]","retentionDays":"[variables(''retentionDays'')]","auditActionsAndGroups":null,"storageAccountSubscriptionId":"[subscription().subscriptionId]","isStorageSecondaryKeyInUse":false}}]},"parameters":{"serverName":{"value":"[field(''name'')]"},"auditRetentionDays":{"value":"[parameters(''retentionDays'')]"},"storageAccountsResourceGroup":{"value":"[parameters(''storageAccountsResourceGroup'')]"},"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036","type":"Microsoft.Authorization/policyDefinitions","name":"f4c68484-132f-41f9-9b6d-3e4b1cb55036"},{"properties":{"displayName":"Microsoft Managed Control 1469 - Power Equipment And Cabling","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd","type":"Microsoft.Authorization/policyDefinitions","name":"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd"},{"properties":{"displayName":"Microsoft Managed Control 1618 - Security Function Isolation","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9","type":"Microsoft.Authorization/policyDefinitions","name":"f52f89aa-4489-4ec4-950e-8c96a036baa9"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''Security Options + Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"},{"properties":{"displayName":"Microsoft Managed Control 1198 - Configuration Change Control | Security Representative","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356","type":"Microsoft.Authorization/policyDefinitions","name":"f56be5c3-660b-4c61-9078-f67cf072c356"},{"properties":{"displayName":"Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de","type":"Microsoft.Authorization/policyDefinitions","name":"f5c66fdc-3d02-4034-9db5-ba57802609de"},{"properties":{"displayName":"Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory - Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Virtual - machines should be associated with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac","type":"Microsoft.Authorization/policyDefinitions","name":"f5fd629f-3075-4cae-ab53-bad65495a4ac"},{"properties":{"displayName":"Internet-facing + virtual machines should be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"},{"properties":{"displayName":"Microsoft Managed Control 1214 - Least Functionality","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3","type":"Microsoft.Authorization/policyDefinitions","name":"f714a4e2-b580-47b6-ae8c-f2812d3750f3"},{"properties":{"displayName":"Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3","type":"Microsoft.Authorization/policyDefinitions","name":"f751cdb7-fbee-406b-969b-815d367cb9b3"},{"properties":{"displayName":"Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031","type":"Microsoft.Authorization/policyDefinitions","name":"f75cedb2-5def-4b31-973e-b69e8c7bd031"},{"properties":{"displayName":"Microsoft Managed Control 1540 - Security Categorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977","type":"Microsoft.Authorization/policyDefinitions","name":"f771f8cb-6642-45cc-9a15-8a41cd5c6977"},{"properties":{"displayName":"Microsoft Managed Control 1449 - Physical Access Authorizations","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5","type":"Microsoft.Authorization/policyDefinitions","name":"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5"},{"properties":{"displayName":"Microsoft Managed Control 1506 - Personnel Security Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2","type":"Microsoft.Authorization/policyDefinitions","name":"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2"},{"properties":{"displayName":"Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy","policyType":"BuiltIn","mode":"All","description":"This @@ -6015,107 +6449,124 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"},{"properties":{"displayName":"Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972","type":"Microsoft.Authorization/policyDefinitions","name":"f82e3639-fa2b-4e06-a786-932d8379b972"},{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"},{"properties":{"displayName":"Microsoft Managed Control 1345 - Cryptographic Module Authentication","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea","type":"Microsoft.Authorization/policyDefinitions","name":"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea"},{"properties":{"displayName":"Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c","type":"Microsoft.Authorization/policyDefinitions","name":"f87b8085-dca9-4cf1-8f7b-9822b997797c"},{"properties":{"displayName":"[Preview]: - Deploy requirements to audit Windows VMs configurations in ''System Audit + Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"},{"properties":{"displayName":"Diagnostic logs in Service Bus should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"},{"properties":{"displayName":"Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066","type":"Microsoft.Authorization/policyDefinitions","name":"f9012d14-e3e6-4d7b-b926-9f37b5537066"},{"properties":{"displayName":"Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335","type":"Microsoft.Authorization/policyDefinitions","name":"f9873db2-18ad-46b3-a11a-1a1f8cbf0335"},{"properties":{"displayName":"Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Physical and Environmental Protection control","metadata":{"category":"Regulatory + implements this Physical and Environmental Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183","type":"Microsoft.Authorization/policyDefinitions","name":"f997df46-cfbb-4cc8-aac8-3fecdaf6a183"},{"properties":{"displayName":"Microsoft Managed Control 1535 - Personnel Sanctions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Personnel Security control","metadata":{"category":"Regulatory + implements this Personnel Security control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e","type":"Microsoft.Authorization/policyDefinitions","name":"f9a165d2-967d-4733-8399-1074270dae2e"},{"properties":{"displayName":"Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Audit and Accountability control","metadata":{"category":"Regulatory + implements this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba","type":"Microsoft.Authorization/policyDefinitions","name":"f9ad559e-c12d-415e-9a78-e50fdd7da7ba"},{"properties":{"displayName":"Diagnostic logs in Azure Stream Analytics should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"},{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"},{"properties":{"displayName":"Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Contingency Planning control","metadata":{"category":"Regulatory + implements this Contingency Planning control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3","type":"Microsoft.Authorization/policyDefinitions","name":"fa108498-b3a8-4ffb-9e79-1107e76afad3"},{"properties":{"displayName":"Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb","type":"Microsoft.Authorization/policyDefinitions","name":"fa4c2a3d-1294-41a3-9ada-0e540471e9fb"},{"properties":{"displayName":"Microsoft Managed Control 1435 - Media Transport","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Media Protection control","metadata":{"category":"Regulatory + implements this Media Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb","type":"Microsoft.Authorization/policyDefinitions","name":"fa8d221b-d130-4637-ba16-501e666628bb"},{"properties":{"displayName":"Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1","type":"Microsoft.Authorization/policyDefinitions","name":"facb66e0-1c48-478a-bed5-747a312323e1"},{"properties":{"displayName":"Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"},{"properties":{"displayName":"Microsoft Managed Control 1086 - Publicly Accessible Content","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5","type":"Microsoft.Authorization/policyDefinitions","name":"fb321e6f-16a0-4be3-878f-500956e309c5"},{"properties":{"displayName":"Microsoft Managed Control 1222 - Information System Component Inventory","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Configuration Management control","metadata":{"category":"Regulatory + implements this Configuration Management control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914","type":"Microsoft.Authorization/policyDefinitions","name":"fb39e62f-6bda-4558-8088-ec03d5670914"},{"properties":{"displayName":"[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Microsoft + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"},{"properties":{"displayName":"Storage + account containing the container with activity logs must be encrypted with + BYOK","policyType":"BuiltIn","mode":"All","description":"This policy audits + if the Storage account containing the container with activity logs is encrypted + with BYOK. The policy works only if the storage account lies on the same subscription + as activity logs by design. More information on Azure Storage encryption at + rest can be found here https://aka.ms/azurestoragebyok. ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"},{"properties":{"displayName":"Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Access Control control","metadata":{"category":"Regulatory + implements this Access Control control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309","type":"Microsoft.Authorization/policyDefinitions","name":"fc933d22-04df-48ed-8f87-22a3773d4309"},{"properties":{"displayName":"[Preview]: Show audit results from Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"All","description":"This @@ -6123,101 +6574,105 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"},{"properties":{"displayName":"Microsoft Managed Control 1318 - Authenticator Management","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66","type":"Microsoft.Authorization/policyDefinitions","name":"fced5fda-3bdb-4d73-bfea-0e2c80428b66"},{"properties":{"displayName":"Microsoft Managed Control 1543 - Risk Assessment","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Risk Assessment control","metadata":{"category":"Regulatory + implements this Risk Assessment control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624","type":"Microsoft.Authorization/policyDefinitions","name":"fd00b778-b5b5-49c0-a994-734ea7bd3624"},{"properties":{"displayName":"Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Information Integrity control","metadata":{"category":"Regulatory + implements this System and Information Integrity control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce","type":"Microsoft.Authorization/policyDefinitions","name":"fd4a2ac8-868a-4702-a345-6c896c3361ce"},{"properties":{"displayName":"Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Identification and Authentication control","metadata":{"category":"Regulatory + implements this Identification and Authentication control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89","type":"Microsoft.Authorization/policyDefinitions","name":"fd4e54f7-9ab0-4bae-b6cc-457809948a89"},{"properties":{"displayName":"Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Communications Protection control","metadata":{"category":"Regulatory + implements this System and Communications Protection control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179","type":"Microsoft.Authorization/policyDefinitions","name":"fd73310d-76fc-422d-bda4-3a077149f179"},{"properties":{"displayName":"Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source","policyType":"Static","mode":"Indexed","description":"Microsoft implements - this Audit and Accountability control","metadata":{"category":"Regulatory + this Audit and Accountability control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102","type":"Microsoft.Authorization/policyDefinitions","name":"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102"},{"properties":{"displayName":"Microsoft Managed Control 1611 - Developer-Provided Training","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f","type":"Microsoft.Authorization/policyDefinitions","name":"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f"},{"properties":{"displayName":"Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b","type":"Microsoft.Authorization/policyDefinitions","name":"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b"},{"properties":{"displayName":"Microsoft Managed Control 1613 - Developer Security Architecture And Design","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this System and Services Acquisition control","metadata":{"category":"Regulatory + implements this System and Services Acquisition control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30","type":"Microsoft.Authorization/policyDefinitions","name":"fe2ad78b-8748-4bff-a924-f74dfca93f30"},{"properties":{"displayName":"Show audit results from Linux VMs that do not have the specified applications installed","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"},{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"},{"properties":{"displayName":"Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Maintenance control","metadata":{"category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft + implements this Maintenance control","metadata":{"version":"1.0.0","category":"Regulatory + Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976","type":"Microsoft.Authorization/policyDefinitions","name":"ff9fbd83-1d8d-4b41-aac2-94cb44b33976"},{"properties":{"displayName":"Microsoft Managed Control 1158 - Security Authorization","policyType":"Static","mode":"Indexed","description":"Microsoft - implements this Security Assessment and Authorization control","metadata":{"category":"Regulatory + implements this Security Assessment and Authorization control","metadata":{"version":"1.0.0","category":"Regulatory Compliance","additionalMetadataId":"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158"},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.Resources/subscriptions","Microsoft.Resources/subscriptions/resourceGroups"]},{"value":"false","equals":"true"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907","type":"Microsoft.Authorization/policyDefinitions","name":"fff50cf2-28eb-45b4-b378-c99412688907"},{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerAllowedPorts","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego","policyParameters":{"allowedContainerPortsRegex":"[parameters(''allowedContainerPortsRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb","type":"Microsoft.Authorization/policyDefinitions","name":"0f636243-1b1c-4d50-880f-310f6199f2cb"},{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"},{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce labels on pods in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"PodEnforceLabels","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego","policyParameters":{"commaSeparatedListOfLabels":"[parameters(''commaSeparatedListOfLabels'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7","type":"Microsoft.Authorization/policyDefinitions","name":"16c6ca72-89d2-4798-b87e-496f9de7fcb7"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -6226,7 +6681,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -6235,25 +6690,25 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml","values":{"allowedContainerPorts":"[parameters(''allowedContainerPortsList'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc","type":"Microsoft.Authorization/policyDefinitions","name":"440b515e-a580-421e-abeb-b159a61ddcbc"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -6262,7 +6717,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -6272,71 +6727,72 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"},{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"},{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"},{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"},{"properties":{"displayName":"[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce internal load balancers in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"},{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"},{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"},{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"},{"properties":{"displayName":"[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS","policyType":"BuiltIn","mode":"Microsoft.ContainerService.Data","description":"This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -6345,25 +6801,29 @@ interactions: Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml","values":{"cpuLimit":"[parameters(''cpuLimit'')]","memoryLimit":"[parameters(''memoryLimit'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164","type":"Microsoft.Authorization/policyDefinitions","name":"e345eecc-fa47-480f-9e88-67dcc122b164"},{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"},{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml","values":{"allowedContainerImagesRegex":"[parameters(''allowedContainerImagesRegex'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469","type":"Microsoft.Authorization/policyDefinitions","name":"febd0533-8e55-448f-b837-bd0e06f16469"},{"properties":{"displayName":"Replace - tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"rohitbh: + tag without becoming compliant","policyType":"Custom","mode":"Indexed","description":"","metadata":{"category":"Tags","createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2019-11-21T00:28:28.0537053Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"value":"true","equals":"true"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"tags.mockTag","value":"mockValue"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/270f0d11-af30-4c15-95f7-28ba884518f0","type":"Microsoft.Authorization/policyDefinitions","name":"270f0d11-af30-4c15-95f7-28ba884518f0"},{"properties":{"displayName":"Tag + equals metric definition.","policyType":"Custom","mode":"All","metadata":{"category":"jilim","createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2020-01-09T21:37:54.2256089Z","updatedBy":null,"updatedOn":null},"parameters":{"metdef":{"type":"String","metadata":{"displayName":"Metric + Definition","description":null,"strongType":"Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions"}}},"policyRule":{"if":{"field":"tags.foo","equals":"[parameters(''metdef'')]"},"then":{"effect":"audit"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/296de002-cb8b-459c-b823-3ccc10e3bc2a","type":"Microsoft.Authorization/policyDefinitions","name":"296de002-cb8b-459c-b823-3ccc10e3bc2a"},{"properties":{"displayName":"rohitbh: Key vault access policy","policyType":"Custom","mode":"All","description":"definition description","metadata":{"createdBy":"22ac4b8c-9194-4feb-b6c6-0e7a995fca2e","createdOn":"2019-03-26T00:11:44.907552Z","updatedBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","updatedOn":"2019-11-12T22:08:39.7776262Z"},"parameters":{"userObjectId":{"type":"String","metadata":{"displayName":"User Object ID","description":"The GUID for the user which should have access"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"field":"Microsoft.Keyvault/vaults/accessPolicies[*].objectId","notEquals":"[parameters(''userObjectId'')]"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.KeyVault/vaults","name":"current","deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"objectId":{"type":"string"},"keyVaultName":{"type":"string"},"secretsPermissions":{"type":"array","defaultValue":["list"]},"tenantId":{"type":"string"},"location":{"type":"string"},"sku":{"type":"object"},"existingAccessPolicies":{"type":"array","defaultValue":[]}},"variables":{"accessPolicies":[{"tenantId":"[parameters(''tenantId'')]","objectId":"[parameters(''objectId'')]","permissions":{"secrets":"[parameters(''secretsPermissions'')]"}}]},"resources":[{"type":"Microsoft.KeyVault/vaults","name":"[parameters(''keyVaultName'')]","location":"[parameters(''location'')]","apiVersion":"2018-02-14","properties":{"sku":"[parameters(''sku'')]","tenantId":"[parameters(''tenantId'')]","accessPolicies":"[concat(parameters(''existingAccessPolicies''), - variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"test_policyem3nif7gi","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-06T21:51:40.6097535Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed - locations","description":"The list of locations that can be specified when - deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policykavffx3v6","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policykavffx3v6"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated + variables(''accessPolicies''))]"}}]},"parameters":{"objectId":{"value":"[parameters(''userObjectId'')]"},"tenantId":{"value":"[field(''Microsoft.Keyvault/vaults/tenantId'')]"},"keyVaultName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"sku":{"value":"[field(''Microsoft.Keyvault/vaults/sku'')]"},"existingAccessPolicies":{"value":"[field(''Microsoft.Keyvault/vaults/accessPolicies'')]"}}}},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3863c624-094c-480d-bc42-74970b55e5e1","type":"Microsoft.Authorization/policyDefinitions","name":"3863c624-094c-480d-bc42-74970b55e5e1"},{"properties":{"displayName":"Append + System MSI","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-01-24T20:38:43.1098002Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"identity.type","notContains":"SystemAssigned"},{"field":"identity.type","notContains":"UserAssigned"}]},"then":{"effect":"append","details":[{"field":"identity.type","value":"SystemAssigned + "}]}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/696db945-5483-4632-95bc-d76037001b62","type":"Microsoft.Authorization/policyDefinitions","name":"696db945-5483-4632-95bc-d76037001b62"},{"properties":{"displayName":"vnet + peering test","policyType":"Custom","mode":"All","metadata":{"createdBy":"36e2f355-d2e2-4fbc-88ab-4281639dff94","createdOn":"2020-02-03T19:35:56.3137183Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks"}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings","existenceCondition":{"allOf":[{"field":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id","exists":true}]}}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/96bb4fa1-6ce9-4579-8d80-97e024120b63","type":"Microsoft.Authorization/policyDefinitions","name":"96bb4fa1-6ce9-4579-8d80-97e024120b63"},{"properties":{"displayName":"testDisplay","policyType":"Custom","mode":"Indexed","description":"Updated Unit test junk: sorry for littering. Please delete me!","metadata":{"testName":"testValue","createdBy":"7140c269-e408-47a5-a626-a1d836b96883","createdOn":"2019-12-02T22:35:27.2634648Z","updatedBy":"7140c269-e408-47a5-a626-a1d836b96883","updatedOn":"2019-12-02T22:35:29.2696603Z"},"policyRule":{"if":{"source":"action","equals":"Microsoft.Resources/Subscriptions/ResourceGroups/write"},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ps7866","type":"Microsoft.Authorization/policyDefinitions","name":"ps7866"},{"properties":{"displayName":"robga test modify","policyType":"Custom","mode":"Indexed","metadata":{"createdBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","createdOn":"2019-08-06T13:52:23.9266854Z","updatedBy":"0dc80135-ae53-4da3-8695-220a2d93aad8","updatedOn":"2019-08-28T17:18:53.3118044Z"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"tags.testModify","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"tags.testModify","value":"addModifyOperation"}]}}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/robgaTestModify","type":"Microsoft.Authorization/policyDefinitions","name":"robgaTestModify"},{"properties":{"displayName":"Audit tag at MG","policyType":"Custom","mode":"All","metadata":{"createdBy":"327c26bf-bf3e-4128-9b75-fbbd99e98739","createdOn":"2019-09-19T21:02:29.3038974Z","updatedBy":null,"updatedOn":null},"parameters":{},"policyRule":{"if":{"not":{"field":"tags.Test","equals":"UnitTest"}},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Management/managementGroups/AzGovPerfTest/providers/Microsoft.Authorization/policyDefinitions/03ae6c12-b46a-43f1-9f3d-c20620473106","type":"Microsoft.Authorization/policyDefinitions","name":"03ae6c12-b46a-43f1-9f3d-c20620473106"},{"properties":{"displayName":"\"metadata\": @@ -6392,11 +6852,11 @@ interactions: cache-control: - no-cache content-length: - - '1645036' + - '1789218' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:38 GMT + - Thu, 06 Feb 2020 00:13:15 GMT expires: - '-1' pragma: @@ -6427,7 +6887,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6444,7 +6904,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:40 GMT + - Thu, 06 Feb 2020 00:13:16 GMT expires: - '-1' pragma: @@ -6471,7 +6931,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6481,16 +6941,16 @@ interactions: string: '{"properties":{"displayName":"Audit virtual machines without disaster recovery configured","policyType":"BuiltIn","mode":"All","description":"Audit virtual machines which do not have disaster recovery configured. To learn - more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"}' + more about disaster recovery, visit https://aka.ms/asr-doc.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Resources/links","existenceCondition":{"field":"name","like":"ASR-Protect-*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","type":"Microsoft.Authorization/policyDefinitions","name":"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"}' headers: cache-control: - no-cache content-length: - - '796' + - '814' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:41 GMT + - Thu, 06 Feb 2020 00:13:17 GMT expires: - '-1' pragma: @@ -6521,7 +6981,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6538,7 +6998,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:42 GMT + - Thu, 06 Feb 2020 00:13:18 GMT expires: - '-1' pragma: @@ -6565,7 +7025,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6575,18 +7035,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Function App","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"}' + Use of Web Sockets within an Function app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd","type":"Microsoft.Authorization/policyDefinitions","name":"001802d1-4969-4c82-a700-c29c6c6f9bbd"}' headers: cache-control: - no-cache content-length: - - '1259' + - '1287' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:43 GMT + - Thu, 06 Feb 2020 00:13:18 GMT expires: - '-1' pragma: @@ -6617,7 +7077,103 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''013e242c-8828-4970-87b3-ab247555486d'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:13:18 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Azure Backup should be enabled for Virtual + Machines","policyType":"BuiltIn","mode":"Indexed","description":"This policy + helps audit if Azure Backup service is enabled for all Virtual machines. Azure + Backup is a cost-effective, one-click backup solution simplifies data recovery + and is easier to enable than other cloud backup services.","metadata":{"version":"1.0.0","category":"backup"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d","type":"Microsoft.Authorization/policyDefinitions","name":"013e242c-8828-4970-87b3-ab247555486d"}' + headers: + cache-control: + - no-cache + content-length: + - '1029' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:13:18 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6634,7 +7190,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:44 GMT + - Thu, 06 Feb 2020 00:13:18 GMT expires: - '-1' pragma: @@ -6661,7 +7217,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6675,16 +7231,17 @@ interactions: This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad","type":"Microsoft.Authorization/policyDefinitions","name":"02a84be7-c304-421f-9bb7-5d2c26af54ad"}' headers: cache-control: - no-cache content-length: - - '2803' + - '3237' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:44 GMT + - Thu, 06 Feb 2020 00:13:18 GMT expires: - '-1' pragma: @@ -6715,7 +7272,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6732,7 +7289,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:45 GMT + - Thu, 06 Feb 2020 00:13:19 GMT expires: - '-1' pragma: @@ -6759,7 +7316,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6770,17 +7327,17 @@ interactions: be encrypted with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/managedInstances/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260","type":"Microsoft.Authorization/policyDefinitions","name":"048248b0-55cd-46da-b1ff-39efd52db260"}' headers: cache-control: - no-cache content-length: - - '1341' + - '1359' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:45 GMT + - Thu, 06 Feb 2020 00:13:19 GMT expires: - '-1' pragma: @@ -6811,7 +7368,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6828,7 +7385,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:46 GMT + - Thu, 06 Feb 2020 00:13:20 GMT expires: - '-1' pragma: @@ -6855,7 +7412,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6867,17 +7424,17 @@ interactions: Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"}' + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Linux VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602","type":"Microsoft.Authorization/policyDefinitions","name":"04c4380f-3fae-46e8-96c9-30193528f602"}' headers: cache-control: - no-cache content-length: - - '2955' + - '2992' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:47 GMT + - Thu, 06 Feb 2020 00:13:20 GMT expires: - '-1' pragma: @@ -6908,7 +7465,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6925,7 +7482,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:48 GMT + - Thu, 06 Feb 2020 00:13:20 GMT expires: - '-1' pragma: @@ -6952,7 +7509,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -6963,7 +7520,7 @@ interactions: Bus to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -6979,11 +7536,11 @@ interactions: cache-control: - no-cache content-length: - - '3721' + - '3739' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:48 GMT + - Thu, 06 Feb 2020 00:13:20 GMT expires: - '-1' pragma: @@ -7014,7 +7571,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7031,7 +7588,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:49 GMT + - Thu, 06 Feb 2020 00:13:21 GMT expires: - '-1' pragma: @@ -7058,7 +7615,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7068,7 +7625,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Deploy Log Analytics Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined - and the agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + and the agent is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -7083,11 +7640,11 @@ interactions: cache-control: - no-cache content-length: - - '4955' + - '4981' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:50 GMT + - Thu, 06 Feb 2020 00:13:21 GMT expires: - '-1' pragma: @@ -7118,7 +7675,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7135,7 +7692,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:50 GMT + - Thu, 06 Feb 2020 00:13:21 GMT expires: - '-1' pragma: @@ -7162,7 +7719,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7173,17 +7730,17 @@ interactions: SQL server should contain an email address to receive scan reports","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send scan reports to'' field in the Vulnerability Assessment settings. This email address receives scan result - summary after a periodic scan runs on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + summary after a periodic scan runs on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9","type":"Microsoft.Authorization/policyDefinitions","name":"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"}' headers: cache-control: - no-cache content-length: - - '1176' + - '1194' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:51 GMT + - Thu, 06 Feb 2020 00:13:21 GMT expires: - '-1' pragma: @@ -7214,7 +7771,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7231,7 +7788,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:52 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7258,7 +7815,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7269,19 +7826,20 @@ interactions: should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb","type":"Microsoft.Authorization/policyDefinitions","name":"057ef27e-665e-4328-8ea3-04b3122bd9fb"}' headers: cache-control: - no-cache content-length: - - '1797' + - '1911' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:53 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7312,7 +7870,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7329,7 +7887,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:54 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7356,7 +7914,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7365,17 +7923,17 @@ interactions: body: string: '{"properties":{"displayName":"[Deprecated]: Audit SQL DB Level Audit Setting","policyType":"BuiltIn","mode":"All","description":"Audit DB level - audit setting for SQL databases","metadata":{"category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"Audit - Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"}' + audit setting for SQL databases","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{"setting":{"type":"String","metadata":{"displayName":"[Deprecated]: + Audit Setting"},"allowedValues":["enabled","disabled"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/auditingSettings","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a12"}' headers: cache-control: - no-cache content-length: - - '916' + - '959' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:54 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7406,7 +7964,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7423,7 +7981,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:55 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7450,7 +8008,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7458,16 +8016,16 @@ interactions: response: body: string: '{"properties":{"displayName":"Audit VMs that do not use managed disks","policyType":"BuiltIn","mode":"All","description":"This - policy audits VMs that do not use managed disks","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"}' + policy audits VMs that do not use managed disks","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/osDisk.uri","exists":"True"}]},{"allOf":[{"field":"type","equals":"Microsoft.Compute/VirtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers","exists":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl","exists":"True"}]}]}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d","type":"Microsoft.Authorization/policyDefinitions","name":"06a78e20-9358-41c9-923c-fb736d382a4d"}' headers: cache-control: - no-cache content-length: - - '897' + - '915' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:55 GMT + - Thu, 06 Feb 2020 00:13:22 GMT expires: - '-1' pragma: @@ -7498,7 +8056,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7515,7 +8073,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:56 GMT + - Thu, 06 Feb 2020 00:13:23 GMT expires: - '-1' pragma: @@ -7542,7 +8100,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7552,18 +8110,18 @@ interactions: string: '{"properties":{"displayName":"CORS should not allow every resource to access your Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function - app. Allow only required domains to interact with your Function app.","metadata":{"category":"App + app. Allow only required domains to interact with your Function app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","type":"Microsoft.Authorization/policyDefinitions","name":"0820b7b9-23aa-4725-a1ce-ae4558f718e5"}' headers: cache-control: - no-cache content-length: - - '1080' + - '1098' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:57 GMT + - Thu, 06 Feb 2020 00:13:23 GMT expires: - '-1' pragma: @@ -7594,7 +8152,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7611,7 +8169,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:58 GMT + - Thu, 06 Feb 2020 00:13:24 GMT expires: - '-1' pragma: @@ -7638,7 +8196,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7649,7 +8207,7 @@ interactions: for Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -7664,11 +8222,11 @@ interactions: cache-control: - no-cache content-length: - - '5940' + - '5966' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:58 GMT + - Thu, 06 Feb 2020 00:13:24 GMT expires: - '-1' pragma: @@ -7699,7 +8257,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7716,7 +8274,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:59 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -7743,7 +8301,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7753,18 +8311,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"}' + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c","type":"Microsoft.Authorization/policyDefinitions","name":"08b17839-76c6-4015-90e0-33d9d54d219c"}' headers: cache-control: - no-cache content-length: - - '1284' + - '1312' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:02:59 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -7795,7 +8353,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7812,7 +8370,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:01 GMT + - Thu, 06 Feb 2020 00:13:24 GMT expires: - '-1' pragma: @@ -7839,7 +8397,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7850,7 +8408,7 @@ interactions: Services to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -7866,11 +8424,11 @@ interactions: cache-control: - no-cache content-length: - - '3731' + - '3749' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:01 GMT + - Thu, 06 Feb 2020 00:13:24 GMT expires: - '-1' pragma: @@ -7901,7 +8459,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -7918,7 +8476,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:02 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -7945,28 +8503,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Network Security Group Rules for Internet - facing virtual machines should be hardened","policyType":"BuiltIn","mode":"Indexed","description":"Azure + string: '{"properties":{"displayName":"Adaptive Network Hardening recommendations + should be applied on internet facing virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential - attack surface","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + attack surface","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"adaptiveNetworkHardenings","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6","type":"Microsoft.Authorization/policyDefinitions","name":"08e6af2d-db70-460a-bfe9-d5bd474ba9d6"}' headers: cache-control: - no-cache content-length: - - '1151' + - '1181' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:03 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -7997,7 +8555,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8014,7 +8572,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:04 GMT + - Thu, 06 Feb 2020 00:13:26 GMT expires: - '-1' pragma: @@ -8041,7 +8599,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8051,17 +8609,18 @@ interactions: string: '{"properties":{"displayName":"There should be more than one owner assigned to your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate more than one subscription owner in order to have - administrator access redundancy.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + administrator access redundancy.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateMoreThanOneOwner","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b","type":"Microsoft.Authorization/policyDefinitions","name":"09024ccc-0c5f-475e-9457-b7c0d9ed487b"}' headers: cache-control: - no-cache content-length: - - '1056' + - '1074' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:05 GMT + - Thu, 06 Feb 2020 00:13:26 GMT expires: - '-1' pragma: @@ -8092,7 +8651,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8109,7 +8668,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:05 GMT + - Thu, 06 Feb 2020 00:13:26 GMT expires: - '-1' pragma: @@ -8136,7 +8695,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8145,18 +8704,18 @@ interactions: body: string: '{"properties":{"displayName":"Disk encryption should be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"VMs without - an enabled disk encryption will be monitored by Azure Security Center as recommendations","metadata":{"category":"Security + an enabled disk encryption will be monitored by Azure Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d","type":"Microsoft.Authorization/policyDefinitions","name":"0961003e-5a0a-4549-abde-af6a37f2724d"}' headers: cache-control: - no-cache content-length: - - '1016' + - '1034' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:06 GMT + - Thu, 06 Feb 2020 00:13:26 GMT expires: - '-1' pragma: @@ -8187,7 +8746,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8204,7 +8763,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:07 GMT + - Thu, 06 Feb 2020 00:13:27 GMT expires: - '-1' pragma: @@ -8231,7 +8790,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8245,7 +8804,7 @@ interactions: that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond - the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location + the defined schedule. This policy will be enhanced to support more VM images.","metadata":{"version":"1.0.0","category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the VMs that you want to protect)","description":"Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location.\nFor example - southeastasia","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup @@ -8267,11 +8826,11 @@ interactions: cache-control: - no-cache content-length: - - '9089' + - '9107' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:07 GMT + - Thu, 06 Feb 2020 00:13:27 GMT expires: - '-1' pragma: @@ -8302,7 +8861,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8319,7 +8878,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:08 GMT + - Thu, 06 Feb 2020 00:13:27 GMT expires: - '-1' pragma: @@ -8346,7 +8905,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8355,16 +8914,16 @@ interactions: body: string: '{"properties":{"displayName":"Audit resource location matches resource group location","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that the resource location matches its resource group location","metadata":{"category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"}' + that the resource location matches its resource group location","metadata":{"version":"1.0.0","category":"General"},"policyRule":{"if":{"field":"location","notIn":["[resourcegroup().location]","global"]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a","type":"Microsoft.Authorization/policyDefinitions","name":"0a914e76-4921-4c19-b460-a2d36003525a"}' headers: cache-control: - no-cache content-length: - - '556' + - '574' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:09 GMT + - Thu, 06 Feb 2020 00:13:28 GMT expires: - '-1' pragma: @@ -8395,7 +8954,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8412,7 +8971,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:10 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -8439,33 +8998,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Account Management''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountManagement"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29","type":"Microsoft.Authorization/policyDefinitions","name":"0a9991e6-21be-49f9-8916-a06d934bcf29"}' headers: cache-control: - no-cache content-length: - - '4414' + - '5802' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:10 GMT + - Thu, 06 Feb 2020 00:13:25 GMT expires: - '-1' pragma: @@ -8496,7 +9060,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8513,7 +9077,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:12 GMT + - Thu, 06 Feb 2020 00:13:29 GMT expires: - '-1' pragma: @@ -8540,7 +9104,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8551,18 +9115,18 @@ interactions: for high severity alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware - of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"category":"Security + of any potential security issues and can mitigate the risk in a timely fashion","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertsToAdmins","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d","type":"Microsoft.Authorization/policyDefinitions","name":"0b15565f-aa9e-48ba-8619-45960f2c314d"}' headers: cache-control: - no-cache content-length: - - '1149' + - '1167' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:12 GMT + - Thu, 06 Feb 2020 00:13:29 GMT expires: - '-1' pragma: @@ -8593,7 +9157,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8610,7 +9174,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:13 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -8637,7 +9201,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8651,17 +9215,17 @@ interactions: is deleted. When ''Purge protection'' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention - policy will be followed.","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy will be followed.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","exists":"false"},{"field":"Microsoft.KeyVault/vaults/enableSoftDelete","equals":"false"},{"field":"Microsoft.KeyVault/vaults/enablePurgeProtection","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","type":"Microsoft.Authorization/policyDefinitions","name":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"}' headers: cache-control: - no-cache content-length: - - '1492' + - '1510' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:13 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -8692,7 +9256,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8709,7 +9273,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:15 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -8736,7 +9300,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8746,18 +9310,18 @@ interactions: string: '{"properties":{"displayName":"Ensure API app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.","metadata":{"category":"App + Only clients that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886","type":"Microsoft.Authorization/policyDefinitions","name":"0c192fe8-9cbb-4516-85b3-0ade8bd03886"}' headers: cache-control: - no-cache content-length: - - '985' + - '1003' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:15 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -8788,7 +9352,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8805,7 +9369,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:16 GMT + - Thu, 06 Feb 2020 00:13:30 GMT expires: - '-1' pragma: @@ -8832,7 +9396,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8843,17 +9407,17 @@ interactions: with your own key","policyType":"BuiltIn","mode":"Indexed","description":"Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed - external service, and promotion of separation of duties.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + external service, and promotion of separation of duties.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/encryptionProtector","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/servers/encryptionProtector/serverKeyType","equals":"AzureKeyVault"},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","notEquals":""},{"field":"Microsoft.Sql/servers/encryptionProtector/uri","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd","type":"Microsoft.Authorization/policyDefinitions","name":"0d134df8-db83-46fb-ad72-fe0c9428c8dd"}' headers: cache-control: - no-cache content-length: - - '1286' + - '1304' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:16 GMT + - Thu, 06 Feb 2020 00:13:31 GMT expires: - '-1' pragma: @@ -8884,7 +9448,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8901,7 +9465,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:17 GMT + - Thu, 06 Feb 2020 00:13:31 GMT expires: - '-1' pragma: @@ -8928,7 +9492,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8941,16 +9505,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053","type":"Microsoft.Authorization/policyDefinitions","name":"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"}' headers: cache-control: - no-cache content-length: - - '2765' + - '3199' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:18 GMT + - Thu, 06 Feb 2020 00:13:31 GMT expires: - '-1' pragma: @@ -8981,7 +9546,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -8998,7 +9563,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:19 GMT + - Thu, 06 Feb 2020 00:13:32 GMT expires: - '-1' pragma: @@ -9025,7 +9590,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9034,18 +9599,18 @@ interactions: body: string: '{"properties":{"displayName":"Managed identity should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Use a - managed identity for enhanced authentication security","metadata":{"category":"App + managed identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f","type":"Microsoft.Authorization/policyDefinitions","name":"0da106f2-4ca3-48e8-bc85-c638fe6aea8f"}' headers: cache-control: - no-cache content-length: - - '979' + - '997' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:20 GMT + - Thu, 06 Feb 2020 00:13:32 GMT expires: - '-1' pragma: @@ -9076,7 +9641,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9093,7 +9658,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:21 GMT + - Thu, 06 Feb 2020 00:13:33 GMT expires: - '-1' pragma: @@ -9120,7 +9685,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9132,17 +9697,17 @@ interactions: access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access - the cluster.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAuthorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"}' + the cluster.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","type":"Microsoft.Authorization/policyDefinitions","name":"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"}' headers: cache-control: - no-cache content-length: - - '1112' + - '1163' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:21 GMT + - Thu, 06 Feb 2020 00:13:33 GMT expires: - '-1' pragma: @@ -9173,7 +9738,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9190,7 +9755,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:22 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9217,7 +9782,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9227,17 +9792,17 @@ interactions: string: '{"properties":{"displayName":"Remote debugging should be turned off for Function Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an function app. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9","type":"Microsoft.Authorization/policyDefinitions","name":"0e60b895-3786-45da-8377-9c6b4b6ac5f9"}' headers: cache-control: - no-cache content-length: - - '1024' + - '1042' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:23 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9268,7 +9833,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9285,7 +9850,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:24 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9312,7 +9877,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9322,17 +9887,17 @@ interactions: string: '{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MariaDB","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for MariaDB with geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMariaDB/servers"},{"field":"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0","type":"Microsoft.Authorization/policyDefinitions","name":"0ec47710-77ff-4a3d-9181-6aa50af424d0"}' headers: cache-control: - no-cache content-length: - - '904' + - '922' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:24 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9363,7 +9928,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9380,7 +9945,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:26 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9407,7 +9972,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9420,17 +9985,18 @@ interactions: for Guest Configuration on Windows VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + please visit https://aka.ms/gcpol.","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforWindows","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforWindows"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293","type":"Microsoft.Authorization/policyDefinitions","name":"0ecd903d-91e7-4726-83d3-a229d7f2e293"}' headers: cache-control: - no-cache content-length: - - '3779' + - '4190' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:27 GMT + - Thu, 06 Feb 2020 00:13:34 GMT expires: - '-1' pragma: @@ -9461,7 +10027,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9478,7 +10044,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:28 GMT + - Thu, 06 Feb 2020 00:13:35 GMT expires: - '-1' pragma: @@ -9505,7 +10071,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9520,11 +10086,11 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"Certificate - thumbprints","description":"A semicolon-separated list of certificate thumbprints - that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). - e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateThumbprints":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints","description":"A semicolon-separated list of certificate + thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). + e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', ''='', parameters(''CertificateThumbprints'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsCertificateInTrustedRoot"},"CertificateThumbprints":{"value":"[parameters(''CertificateThumbprints'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateThumbprints":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprints'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -9537,11 +10103,11 @@ interactions: cache-control: - no-cache content-length: - - '6344' + - '6789' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:28 GMT + - Thu, 06 Feb 2020 00:13:36 GMT expires: - '-1' pragma: @@ -9572,7 +10138,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9589,7 +10155,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:28 GMT + - Thu, 06 Feb 2020 00:13:36 GMT expires: - '-1' pragma: @@ -9616,7 +10182,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9628,18 +10194,18 @@ interactions: newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6","type":"Microsoft.Authorization/policyDefinitions","name":"10c1859c-e1a7-4df3-ab97-a487fa8059f6"}' headers: cache-control: - no-cache content-length: - - '1274' + - '1292' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:29 GMT + - Thu, 06 Feb 2020 00:13:36 GMT expires: - '-1' pragma: @@ -9670,7 +10236,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9687,7 +10253,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:30 GMT + - Thu, 06 Feb 2020 00:13:37 GMT expires: - '-1' pragma: @@ -9714,7 +10280,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9723,17 +10289,17 @@ interactions: body: string: '{"properties":{"displayName":"Custom subscription owner roles should not exist","policyType":"BuiltIn","mode":"All","description":"This policy - ensures that no custom subscription owner roles exist.","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ensures that no custom subscription owner roles exist.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"},{"anyOf":[{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/permissions.actions[*]","notEquals":"*"}}]},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notIn":["[concat(subscription().id,''/'')]","[subscription().id]","/"]}},{"not":{"field":"Microsoft.Authorization/roleDefinitions/assignableScopes[*]","notLike":"/providers/Microsoft.Management/*"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9","type":"Microsoft.Authorization/policyDefinitions","name":"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"}' headers: cache-control: - no-cache content-length: - - '1339' + - '1357' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:31 GMT + - Thu, 06 Feb 2020 00:13:37 GMT expires: - '-1' pragma: @@ -9764,7 +10330,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9781,7 +10347,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:32 GMT + - Thu, 06 Feb 2020 00:13:37 GMT expires: - '-1' pragma: @@ -9808,7 +10374,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9819,7 +10385,7 @@ interactions: - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example @@ -9828,11 +10394,11 @@ interactions: cache-control: - no-cache content-length: - - '5737' + - '5763' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:32 GMT + - Thu, 06 Feb 2020 00:13:37 GMT expires: - '-1' pragma: @@ -9863,7 +10429,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9880,7 +10446,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:33 GMT + - Thu, 06 Feb 2020 00:13:38 GMT expires: - '-1' pragma: @@ -9907,33 +10473,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System objects''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemobjects"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa","type":"Microsoft.Authorization/policyDefinitions","name":"12ae2d24-3805-4b37-9fa9-465968bfbcfa"}' headers: cache-control: - no-cache content-length: - - '4380' + - '5768' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:34 GMT + - Thu, 06 Feb 2020 00:13:38 GMT expires: - '-1' pragma: @@ -9964,7 +10535,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -9981,7 +10552,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:35 GMT + - Thu, 06 Feb 2020 00:13:39 GMT expires: - '-1' pragma: @@ -10008,7 +10579,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10022,11 +10593,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"installedApplication":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server 2014*'' - (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', + (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]bwhitelistedapp;Name'', ''='', parameters(''installedApplication'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WhitelistedApplication"},"installedApplication":{"value":"[parameters(''installedApplication'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"installedApplication":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]bwhitelistedapp;Name","value":"[parameters(''installedApplication'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10039,11 +10610,11 @@ interactions: cache-control: - no-cache content-length: - - '6236' + - '6647' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:35 GMT + - Thu, 06 Feb 2020 00:13:39 GMT expires: - '-1' pragma: @@ -10074,7 +10645,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10091,7 +10662,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:36 GMT + - Thu, 06 Feb 2020 00:13:39 GMT expires: - '-1' pragma: @@ -10118,7 +10689,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10132,11 +10703,11 @@ interactions: also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToExclude":{"type":"String","metadata":{"displayName":"Members to exclude","description":"A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToExclude'', ''='', parameters(''MembersToExclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToExclude"},"MembersToExclude":{"value":"[parameters(''MembersToExclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToExclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToExclude","value":"[parameters(''MembersToExclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -10149,11 +10720,11 @@ interactions: cache-control: - no-cache content-length: - - '6142' + - '6553' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:37 GMT + - Thu, 06 Feb 2020 00:13:39 GMT expires: - '-1' pragma: @@ -10184,7 +10755,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10201,7 +10772,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:37 GMT + - Thu, 06 Feb 2020 00:13:40 GMT expires: - '-1' pragma: @@ -10228,7 +10799,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10242,7 +10813,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -10254,11 +10826,11 @@ interactions: cache-control: - no-cache content-length: - - '5240' + - '5674' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:38 GMT + - Thu, 06 Feb 2020 00:13:40 GMT expires: - '-1' pragma: @@ -10289,7 +10861,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10306,7 +10878,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:40 GMT + - Thu, 06 Feb 2020 00:13:40 GMT expires: - '-1' pragma: @@ -10333,7 +10905,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10346,16 +10918,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6","type":"Microsoft.Authorization/policyDefinitions","name":"16f9b37c-4408-4c30-bc17-254958f2e2d6"}' headers: cache-control: - no-cache content-length: - - '2777' + - '3188' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:40 GMT + - Thu, 06 Feb 2020 00:13:40 GMT expires: - '-1' pragma: @@ -10386,7 +10959,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10403,7 +10976,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:42 GMT + - Thu, 06 Feb 2020 00:13:41 GMT expires: - '-1' pragma: @@ -10430,7 +11003,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10440,8 +11013,8 @@ interactions: string: '{"properties":{"displayName":"Deploy associations for a managed application","policyType":"BuiltIn","mode":"Indexed","description":"Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource - types.","metadata":{"category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed - application Id","description":"Resource ID of the managed application to which + types.","metadata":{"version":"1.0.0","category":"Managed Application"},"parameters":{"targetManagedApplicationId":{"type":"String","metadata":{"displayName":"Managed + application ID","description":"Resource ID of the managed application to which resources need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource types to associate","description":"The list of resource types to be associated to the managed application.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association @@ -10456,11 +11029,11 @@ interactions: cache-control: - no-cache content-length: - - '3060' + - '3078' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:42 GMT + - Thu, 06 Feb 2020 00:13:41 GMT expires: - '-1' pragma: @@ -10491,7 +11064,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10508,7 +11081,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:43 GMT + - Thu, 06 Feb 2020 00:13:42 GMT expires: - '-1' pragma: @@ -10535,7 +11108,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10543,18 +11116,19 @@ interactions: response: body: string: '{"properties":{"displayName":"Transparent Data Encryption on SQL databases - should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit - transparent data encryption status for SQL databases","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"enabled"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12","type":"Microsoft.Authorization/policyDefinitions","name":"17k78e20-9358-41c9-923c-fb736d382a12"}' headers: cache-control: - no-cache content-length: - - '1036' + - '1098' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:43 GMT + - Thu, 06 Feb 2020 00:13:42 GMT expires: - '-1' pragma: @@ -10585,7 +11159,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10602,7 +11176,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:44 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10629,7 +11203,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10639,17 +11213,17 @@ interactions: string: '{"properties":{"displayName":"Azure Monitor log profile should collect logs for categories ''write,'' ''delete,'' and ''action''","policyType":"BuiltIn","mode":"All","description":"This policy ensures that a log profile collects logs for categories ''write,'' - ''delete,'' and ''action''","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + ''delete,'' and ''action''","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logprofiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Write"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Delete"}},{"not":{"field":"Microsoft.Insights/logProfiles/categories[*]","notEquals":"Action"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7","type":"Microsoft.Authorization/policyDefinitions","name":"1a4e592a-6a6e-44a5-9814-e36264ca96e7"}' headers: cache-control: - no-cache content-length: - - '1197' + - '1215' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:45 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10680,7 +11254,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10697,7 +11271,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:46 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10724,7 +11298,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10735,17 +11309,18 @@ interactions: be restricted","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that - are too broad","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"}' + are too broad","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Web/sites"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToAppServices","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff","type":"Microsoft.Authorization/policyDefinitions","name":"1a833ff1-d297-4a0f-9944-888428f8e0ff"}' headers: cache-control: - no-cache content-length: - - '1113' + - '1150' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:47 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10776,7 +11351,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10793,7 +11368,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:48 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10820,7 +11395,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10831,17 +11406,17 @@ interactions: on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you - remediate potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + remediate potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a","type":"Microsoft.Authorization/policyDefinitions","name":"1b7aa243-30e4-4c9e-bca8-d0d3022b634a"}' headers: cache-control: - no-cache content-length: - - '1154' + - '1172' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:48 GMT + - Thu, 06 Feb 2020 00:13:43 GMT expires: - '-1' pragma: @@ -10872,7 +11447,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10889,7 +11464,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:49 GMT + - Thu, 06 Feb 2020 00:13:45 GMT expires: - '-1' pragma: @@ -10916,7 +11491,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10928,7 +11503,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -10937,11 +11512,11 @@ interactions: cache-control: - no-cache content-length: - - '1856' + - '1874' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:50 GMT + - Thu, 06 Feb 2020 00:13:45 GMT expires: - '-1' pragma: @@ -10972,7 +11547,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -10989,7 +11564,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:46 GMT + - Thu, 06 Feb 2020 00:13:45 GMT expires: - '-1' pragma: @@ -11016,7 +11591,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11027,7 +11602,7 @@ interactions: Windows VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over - time as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + time as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -11036,11 +11611,11 @@ interactions: cache-control: - no-cache content-length: - - '5233' + - '5259' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:47 GMT + - Thu, 06 Feb 2020 00:13:45 GMT expires: - '-1' pragma: @@ -11071,7 +11646,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11088,7 +11663,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:52 GMT + - Thu, 06 Feb 2020 00:13:46 GMT expires: - '-1' pragma: @@ -11115,7 +11690,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11128,17 +11703,17 @@ interactions: such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for - easier security management","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + easier security management","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachines"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicCompute/virtualMachines"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d","type":"Microsoft.Authorization/policyDefinitions","name":"1d84d5fb-01f6-4d12-ba4f-4a26081d403d"}' headers: cache-control: - no-cache content-length: - - '1235' + - '1253' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:52 GMT + - Thu, 06 Feb 2020 00:13:46 GMT expires: - '-1' pragma: @@ -11169,7 +11744,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11186,7 +11761,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:54 GMT + - Thu, 06 Feb 2020 00:13:46 GMT expires: - '-1' pragma: @@ -11213,7 +11788,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11223,18 +11798,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"}' + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb","type":"Microsoft.Authorization/policyDefinitions","name":"1de7b11d-1870-41a5-8181-507e7c663cfb"}' headers: cache-control: - no-cache content-length: - - '1213' + - '1241' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:54 GMT + - Thu, 06 Feb 2020 00:13:46 GMT expires: - '-1' pragma: @@ -11265,7 +11840,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11282,7 +11857,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:56 GMT + - Thu, 06 Feb 2020 00:13:47 GMT expires: - '-1' pragma: @@ -11309,7 +11884,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11317,7 +11892,7 @@ interactions: response: body: string: '{"properties":{"displayName":"Require tag and its value","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - a required tag and its value. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + a required tag and its value. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"not":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","equals":"[parameters(''tagValue'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62","type":"Microsoft.Authorization/policyDefinitions","name":"1e30110a-5ceb-460c-a204-c1c3969c6d62"}' @@ -11325,11 +11900,11 @@ interactions: cache-control: - no-cache content-length: - - '819' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:56 GMT + - Thu, 06 Feb 2020 00:13:47 GMT expires: - '-1' pragma: @@ -11360,7 +11935,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11377,7 +11952,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:57 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -11404,7 +11979,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11416,17 +11991,17 @@ interactions: provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users - and other Microsoft services","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and other Microsoft services","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/administrators"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9","type":"Microsoft.Authorization/policyDefinitions","name":"1f314764-cb73-4fc9-b863-8eca98ac36e9"}' headers: cache-control: - no-cache content-length: - - '1048' + - '1066' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:57 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -11457,7 +12032,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11474,7 +12049,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:58 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -11501,7 +12076,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11512,7 +12087,7 @@ interactions: Hub to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -11528,11 +12103,11 @@ interactions: cache-control: - no-cache content-length: - - '4108' + - '4126' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:03:59 GMT + - Thu, 06 Feb 2020 00:13:48 GMT expires: - '-1' pragma: @@ -11563,7 +12138,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11580,7 +12155,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:00 GMT + - Thu, 06 Feb 2020 00:13:49 GMT expires: - '-1' pragma: @@ -11607,47 +12182,54 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Shutdown''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"Shutdown: - Allow system to be shut down without having to log on","description":"Specifies + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Allow system to be shut down without having to log on","description":"Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows - logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"Shutdown: - Clear virtual memory pagefile","description":"Specifies whether the virtual - memory pagefile is cleared when the system is shut down. When this policy - setting is enabled, the system pagefile is cleared each time that the system - shuts down properly. For systems with large amounts of RAM, this could result - in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: + logon screen."},"defaultValue":"0"},"ShutdownClearVirtualMemoryPagefile":{"type":"String","metadata":{"displayName":"[Preview]: + Shutdown: Clear virtual memory pagefile","description":"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Shutdown: Allow system to be shut down without having to log on;ExpectedValue'', ''='', parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn''), '','', - ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''Shutdown: Clear virtual memory pagefile;ExpectedValue'', ''='', parameters(''ShutdownClearVirtualMemoryPagefile'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsShutdown"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},"ShutdownClearVirtualMemoryPagefile":{"value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn":{"type":"string"},"ShutdownClearVirtualMemoryPagefile":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Shutdown: Allow system to be shut down without having to log on;ExpectedValue","value":"[parameters(''ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'')]"},{"name":"Shutdown: - Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Clear virtual memory pagefile;ExpectedValue","value":"[parameters(''ShutdownClearVirtualMemoryPagefile'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da","type":"Microsoft.Authorization/policyDefinitions","name":"1f8c20ce-3414-4496-8b26-0e902a1541da"}' headers: cache-control: - no-cache content-length: - - '6303' + - '8033' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:01 GMT + - Thu, 06 Feb 2020 00:13:49 GMT expires: - '-1' pragma: @@ -11678,7 +12260,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11695,7 +12277,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:01 GMT + - Thu, 06 Feb 2020 00:13:50 GMT expires: - '-1' pragma: @@ -11722,29 +12304,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"The NSGs rules for web applications on - IaaS should be hardened","policyType":"BuiltIn","mode":"All","description":"Azure + string: '{"properties":{"displayName":"Web ports should be restricted on Network + Security Groups associated to your VM","policyType":"BuiltIn","mode":"All","description":"Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly - permissive with regards to the web application ports","metadata":{"category":"Security + permissive with regards to the web application ports","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6","type":"Microsoft.Authorization/policyDefinitions","name":"201ea587-7c90-41c3-910f-c280ae01cfd6"}' headers: cache-control: - no-cache content-length: - - '1196' + - '1231' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:02 GMT + - Thu, 06 Feb 2020 00:13:50 GMT expires: - '-1' pragma: @@ -11775,7 +12357,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11792,7 +12374,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:04 GMT + - Thu, 06 Feb 2020 00:13:50 GMT expires: - '-1' pragma: @@ -11819,7 +12401,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11832,17 +12414,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a","type":"Microsoft.Authorization/policyDefinitions","name":"21e2995e-683e-497a-9e81-2f42ad07050a"}' headers: cache-control: - no-cache content-length: - - '2638' + - '3222' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:05 GMT + - Thu, 06 Feb 2020 00:13:50 GMT expires: - '-1' pragma: @@ -11873,7 +12455,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11890,7 +12472,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:05 GMT + - Thu, 06 Feb 2020 00:13:50 GMT expires: - '-1' pragma: @@ -11917,7 +12499,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11927,17 +12509,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit API Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a API app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"}' + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac","type":"Microsoft.Authorization/policyDefinitions","name":"224da9fe-0d38-4e79-adb3-0a6e2af942ac"}' headers: cache-control: - no-cache content-length: - - '1150' + - '1178' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:06 GMT + - Thu, 06 Feb 2020 00:13:51 GMT expires: - '-1' pragma: @@ -11968,7 +12551,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -11985,7 +12568,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:07 GMT + - Thu, 06 Feb 2020 00:13:52 GMT expires: - '-1' pragma: @@ -12012,7 +12595,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12025,17 +12608,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Account Management''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountManagement","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a","type":"Microsoft.Authorization/policyDefinitions","name":"225e937e-d32e-4713-ab74-13ce95b3519a"}' headers: cache-control: - no-cache content-length: - - '2690' + - '3274' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:08 GMT + - Thu, 06 Feb 2020 00:13:52 GMT expires: - '-1' pragma: @@ -12066,7 +12649,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12083,7 +12666,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:09 GMT + - Thu, 06 Feb 2020 00:13:52 GMT expires: - '-1' pragma: @@ -12110,7 +12693,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12121,17 +12704,18 @@ interactions: your virtual machines","policyType":"BuiltIn","mode":"All","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to - gain admin access to the machine.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + gain admin access to the machine.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"restrictAccessToManagementPorts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917","type":"Microsoft.Authorization/policyDefinitions","name":"22730e10-96f6-4aac-ad84-9383d35b5917"}' headers: cache-control: - no-cache content-length: - - '1171' + - '1189' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:09 GMT + - Thu, 06 Feb 2020 00:13:52 GMT expires: - '-1' pragma: @@ -12162,7 +12746,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12179,7 +12763,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:10 GMT + - Thu, 06 Feb 2020 00:13:53 GMT expires: - '-1' pragma: @@ -12206,7 +12790,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12218,17 +12802,17 @@ interactions: enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, - and session-hijacking","metadata":{"category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + and session-hijacking","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redis"},{"field":"Microsoft.Cache/Redis/enableNonSslPort","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb","type":"Microsoft.Authorization/policyDefinitions","name":"22bee202-a82f-4305-9a2a-6d7f44d4dedb"}' headers: cache-control: - no-cache content-length: - - '1066' + - '1084' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:11 GMT + - Thu, 06 Feb 2020 00:13:53 GMT expires: - '-1' pragma: @@ -12259,7 +12843,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12276,7 +12860,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:12 GMT + - Thu, 06 Feb 2020 00:13:54 GMT expires: - '-1' pragma: @@ -12303,7 +12887,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12317,8 +12901,8 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MinimumPasswordLength"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -12330,11 +12914,11 @@ interactions: cache-control: - no-cache content-length: - - '5280' + - '5714' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:12 GMT + - Thu, 06 Feb 2020 00:13:54 GMT expires: - '-1' pragma: @@ -12365,7 +12949,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12382,7 +12966,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:14 GMT + - Thu, 06 Feb 2020 00:13:54 GMT expires: - '-1' pragma: @@ -12409,7 +12993,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12419,17 +13003,17 @@ interactions: string: '{"properties":{"displayName":"Service Bus should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Service Bus not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.ServiceBus/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e","type":"Microsoft.Authorization/policyDefinitions","name":"235359c5-7c52-4b82-9055-01c75cf9f60e"}' headers: cache-control: - no-cache content-length: - - '1009' + - '1027' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:14 GMT + - Thu, 06 Feb 2020 00:13:54 GMT expires: - '-1' pragma: @@ -12460,7 +13044,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12477,7 +13061,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:16 GMT + - Thu, 06 Feb 2020 00:13:56 GMT expires: - '-1' pragma: @@ -12504,7 +13088,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12515,7 +13099,7 @@ interactions: Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12531,11 +13115,11 @@ interactions: cache-control: - no-cache content-length: - - '3811' + - '3829' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:16 GMT + - Thu, 06 Feb 2020 00:13:56 GMT expires: - '-1' pragma: @@ -12566,7 +13150,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12583,7 +13167,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:18 GMT + - Thu, 06 Feb 2020 00:13:56 GMT expires: - '-1' pragma: @@ -12610,7 +13194,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12623,16 +13207,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"}' + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc","type":"Microsoft.Authorization/policyDefinitions","name":"24dde96d-f0b1-425e-884f-4a1421e2dcdc"}' headers: cache-control: - no-cache content-length: - - '2748' + - '3182' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:19 GMT + - Thu, 06 Feb 2020 00:13:56 GMT expires: - '-1' pragma: @@ -12663,7 +13248,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12680,7 +13265,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:19 GMT + - Thu, 06 Feb 2020 00:13:57 GMT expires: - '-1' pragma: @@ -12707,7 +13292,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12718,7 +13303,7 @@ interactions: Storage Gen1 to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this - diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -12734,11 +13319,11 @@ interactions: cache-control: - no-cache content-length: - - '3810' + - '3828' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:20 GMT + - Thu, 06 Feb 2020 00:13:57 GMT expires: - '-1' pragma: @@ -12769,7 +13354,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12786,7 +13371,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:21 GMT + - Thu, 06 Feb 2020 00:13:57 GMT expires: - '-1' pragma: @@ -12813,7 +13398,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12823,18 +13408,18 @@ interactions: string: '{"properties":{"displayName":"Endpoint protection solution should be installed on virtual machine scale sets","policyType":"BuiltIn","mode":"Indexed","description":"Audit the existence and health of an endpoint protection solution on your virtual - machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"category":"Security + machines scale sets, to protect them from threats and vulnerabilities.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EndpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de","type":"Microsoft.Authorization/policyDefinitions","name":"26a828e1-e88f-464e-bbb3-c134a282b9de"}' headers: cache-control: - no-cache content-length: - - '1113' + - '1131' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:22 GMT + - Thu, 06 Feb 2020 00:13:57 GMT expires: - '-1' pragma: @@ -12865,7 +13450,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12882,7 +13467,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:23 GMT + - Thu, 06 Feb 2020 00:13:58 GMT expires: - '-1' pragma: @@ -12909,7 +13494,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12919,7 +13504,7 @@ interactions: string: '{"properties":{"displayName":"Metric alert rules should be configured on Batch accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit configuration of metric alert rules on Batch account to enable the required - metric","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + metric","metadata":{"version":"1.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"metricName":{"type":"String","metadata":{"displayName":"Metric name","description":"The metric name that an alert rule must be enabled on"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/alertRules","existenceScope":"Subscription","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/alertRules/isEnabled","equals":"true"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.metricName","equals":"[parameters(''metricName'')]"},{"field":"Microsoft.Insights/alertRules/condition.dataSource.resourceUri","equals":"[concat(''/subscriptions/'', subscription().subscriptionId, ''/resourcegroups/'', resourceGroup().name, @@ -12928,11 +13513,11 @@ interactions: cache-control: - no-cache content-length: - - '1489' + - '1507' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:24 GMT + - Thu, 06 Feb 2020 00:13:58 GMT expires: - '-1' pragma: @@ -12963,7 +13548,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -12980,7 +13565,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:24 GMT + - Thu, 06 Feb 2020 00:13:55 GMT expires: - '-1' pragma: @@ -13007,7 +13592,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13017,7 +13602,7 @@ interactions: string: '{"properties":{"displayName":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration - when a VM is not configured with the antimalware extension.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon + when a VM is not configured with the antimalware extension.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"ExclusionsPaths":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file paths or locations to exclude from scanning"}},"ExclusionsExtensions":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of file extensions to exclude from scanning"}},"ExclusionsProcesses":{"type":"string","defaultValue":"","metadata":{"description":"Semicolon delimited list of process names to exclude from scanning"}},"RealtimeProtectionEnabled":{"type":"string","defaultValue":"true","metadata":{"description":"Indicates @@ -13031,11 +13616,11 @@ interactions: cache-control: - no-cache content-length: - - '4556' + - '4574' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:25 GMT + - Thu, 06 Feb 2020 00:13:55 GMT expires: - '-1' pragma: @@ -13066,7 +13651,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13083,7 +13668,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:26 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13110,7 +13695,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13123,17 +13708,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0","type":"Microsoft.Authorization/policyDefinitions","name":"29829ec2-489d-4925-81b7-bda06b1718e0"}' headers: cache-control: - no-cache content-length: - - '2681' + - '3265' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:27 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13164,7 +13749,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13181,7 +13766,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:29 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13208,7 +13793,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13220,7 +13805,7 @@ interactions: created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New ''modify'' effect policies are available that support remediation - of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + of tags on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"append","details":[{"field":"[concat(''tags['', @@ -13229,11 +13814,11 @@ interactions: cache-control: - no-cache content-length: - - '1212' + - '1230' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:29 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13264,7 +13849,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13281,7 +13866,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:30 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13308,7 +13893,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -13317,18 +13902,18 @@ interactions: body: string: '{"properties":{"displayName":"Managed identity should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Use a managed - identity for enhanced authentication security","metadata":{"category":"App + identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332","type":"Microsoft.Authorization/policyDefinitions","name":"2b9ad585-36bc-4615-b300-fd4435808332"}' headers: cache-control: - no-cache content-length: - - '966' + - '984' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:31 GMT + - Thu, 06 Feb 2020 00:14:00 GMT expires: - '-1' pragma: @@ -13359,108 +13944,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2c89a2e5-7285-40fe-afe0-ae8654b92fb2'' could not be found."}}' - headers: - cache-control: - - no-cache - content-length: - - '138' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:04:33 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - status: - code: 404 - message: Not Found -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2?api-version=2019-09-01 - response: - body: - string: '{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any unattached disk without encryption enabled.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"}' - headers: - cache-control: - - no-cache - content-length: - - '1007' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:04:33 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb?api-version=2019-09-01 - response: - body: - string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2d21331d-a4c2-4def-a9ad-ee4e1e023beb'' could not be found."}}' + ''2c89a2e5-7285-40fe-afe0-ae8654b92fab'' could not be found."}}' headers: cache-control: - no-cache @@ -13469,7 +13961,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:35 GMT + - Thu, 06 Feb 2020 00:14:01 GMT expires: - '-1' pragma: @@ -13496,27 +13988,36 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"App Service should use a virtual network - service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any App Service not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"}' + string: '{"properties":{"displayName":"SSH access from the Internet should be + blocked","policyType":"BuiltIn","mode":"All","description":"This policy audits + any network security rule that allows SSH access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"22"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),22), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),22), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"22"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fab"}' headers: cache-control: - no-cache content-length: - - '1020' + - '3289' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:35 GMT + - Thu, 06 Feb 2020 00:14:01 GMT expires: - '-1' pragma: @@ -13547,15 +14048,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2d60d3b7-aa10-454c-88a8-de39d99d17c6'' could not be found."}}' + ''2c89a2e5-7285-40fe-afe0-ae8654b92fb2'' could not be found."}}' headers: cache-control: - no-cache @@ -13564,7 +14065,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:36 GMT + - Thu, 06 Feb 2020 00:14:02 GMT expires: - '-1' pragma: @@ -13591,29 +14092,25 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that do not store passwords using reversible - encryption. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"}' + string: '{"properties":{"displayName":"Unattached disks should be encrypted","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any unattached disk without encryption enabled.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/disks"},{"field":"Microsoft.Compute/disks/diskState","equals":"Unattached"},{"anyOf":[{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","exists":"false"},{"field":"Microsoft.Compute/disks/encryptionSettingsCollection.enabled","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2","type":"Microsoft.Authorization/policyDefinitions","name":"2c89a2e5-7285-40fe-afe0-ae8654b92fb2"}' headers: cache-control: - no-cache content-length: - - '2779' + - '1025' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:36 GMT + - Thu, 06 Feb 2020 00:14:02 GMT expires: - '-1' pragma: @@ -13644,15 +14141,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2d67222d-05fd-4526-a171-2ee132ad9e83'' could not be found."}}' + ''2d21331d-a4c2-4def-a9ad-ee4e1e023beb'' could not be found."}}' headers: cache-control: - no-cache @@ -13661,7 +14158,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:38 GMT + - Thu, 06 Feb 2020 00:14:03 GMT expires: - '-1' pragma: @@ -13688,29 +14185,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux - VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Linux virtual machines that allow remote connections from accounts - without passwords. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"}' + string: '{"properties":{"displayName":"App Service should use a virtual network + service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any App Service not configured to use a virtual network service + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/virtualNetworkConnections","existenceCondition":{"field":"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb","type":"Microsoft.Authorization/policyDefinitions","name":"2d21331d-a4c2-4def-a9ad-ee4e1e023beb"}' headers: cache-control: - no-cache content-length: - - '3214' + - '1038' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:39 GMT + - Thu, 06 Feb 2020 00:14:03 GMT expires: - '-1' pragma: @@ -13741,15 +14236,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2f2ee1de-44aa-4762-b6bd-0893fc3f306d'' could not be found."}}' + ''2d60d3b7-aa10-454c-88a8-de39d99d17c6'' could not be found."}}' headers: cache-control: - no-cache @@ -13758,7 +14253,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:39 GMT + - Thu, 06 Feb 2020 00:14:03 GMT expires: - '-1' pragma: @@ -13785,29 +14280,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Network traffic data collection - agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security - Center uses the Microsoft Monitoring Dependency Agent to collect network traffic - data from your Azure virtual machines to enable advanced network protection - features such as traffic visualization on the network map, network hardening - recommendations and specific network threats.","metadata":{"category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable Dependency Agent for Windows VMs monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs that do not store passwords using reversible encryption","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not store passwords using reversible + encryption. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6","type":"Microsoft.Authorization/policyDefinitions","name":"2d60d3b7-aa10-454c-88a8-de39d99d17c6"}' headers: cache-control: - no-cache content-length: - - '4043' + - '3213' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:40 GMT + - Thu, 06 Feb 2020 00:14:03 GMT expires: - '-1' pragma: @@ -13838,15 +14334,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''2fde8a98-6892-426a-83ba-050e640c0ce0'' could not be found."}}' + ''2d67222d-05fd-4526-a171-2ee132ad9e83'' could not be found."}}' headers: cache-control: - no-cache @@ -13855,7 +14351,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:41 GMT + - Thu, 06 Feb 2020 00:14:04 GMT expires: - '-1' pragma: @@ -13882,28 +14378,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Web Application should - only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use - of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux + VMs that allow remote connections from accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that allow remote connections from accounts + without passwords. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83","type":"Microsoft.Authorization/policyDefinitions","name":"2d67222d-05fd-4526-a171-2ee132ad9e83"}' headers: cache-control: - no-cache content-length: - - '1247' + - '3685' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:42 GMT + - Thu, 06 Feb 2020 00:14:04 GMT expires: - '-1' pragma: @@ -13934,15 +14432,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''30040dab-4e75-4456-8273-14b8f75d91d9'' could not be found."}}' + ''2f2ee1de-44aa-4762-b6bd-0893fc3f306d'' could not be found."}}' headers: cache-control: - no-cache @@ -13951,7 +14449,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:43 GMT + - Thu, 06 Feb 2020 00:14:05 GMT expires: - '-1' pragma: @@ -13978,30 +14476,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Security Options - Network Access''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"}' + string: '{"properties":{"displayName":"[Preview]: Network traffic data collection + agent should be installed on Windows virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"Security + Center uses the Microsoft Monitoring Dependency Agent to collect network traffic + data from your Azure virtual machines to enable advanced network protection + features such as traffic visualization on the network map, network hardening + recommendations and specific network threats.","metadata":{"version":"1.0.0-preview","category":"Monitoring","preview":"true"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable Dependency Agent for Windows VMs + monitoring"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d","type":"Microsoft.Authorization/policyDefinitions","name":"2f2ee1de-44aa-4762-b6bd-0893fc3f306d"}' headers: cache-control: - no-cache content-length: - - '2664' + - '4080' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:44 GMT + - Thu, 06 Feb 2020 00:14:05 GMT expires: - '-1' pragma: @@ -14032,15 +14530,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''315c850a-272d-4502-8935-b79010405970'' could not be found."}}' + ''2fde8a98-6892-426a-83ba-050e640c0ce0'' could not be found."}}' headers: cache-control: - no-cache @@ -14049,7 +14547,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:45 GMT + - Thu, 06 Feb 2020 00:14:06 GMT expires: - '-1' pragma: @@ -14076,40 +14574,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not joined to the specified domain. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain - Name (FQDN)","description":"The fully qualified domain name (FQDN) that the - Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', - ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"}' + string: '{"properties":{"displayName":"[Deprecated]: Web Application should + only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForWebApplication","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0","type":"Microsoft.Authorization/policyDefinitions","name":"2fde8a98-6892-426a-83ba-050e640c0ce0"}' headers: cache-control: - no-cache content-length: - - '5979' + - '1290' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:45 GMT + - Thu, 06 Feb 2020 00:14:06 GMT expires: - '-1' pragma: @@ -14140,15 +14626,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''32133ab0-ee4b-4b44-98d6-042180979d50'' could not be found."}}' + ''30040dab-4e75-4456-8273-14b8f75d91d9'' could not be found."}}' headers: cache-control: - no-cache @@ -14157,7 +14643,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:46 GMT + - Thu, 06 Feb 2020 00:14:06 GMT expires: - '-1' pragma: @@ -14184,31 +14670,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent - Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports - VMs as non-compliant if the VM Image (OS) is not in the list defined and the - agent is not installed. The list of OS images will be updated over time as - support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Windows OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: - List of VM images that have supported Linux OS to add to scope","description":"Example - value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: ''Security Options - Network Access''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9","type":"Microsoft.Authorization/policyDefinitions","name":"30040dab-4e75-4456-8273-14b8f75d91d9"}' headers: cache-control: - no-cache content-length: - - '5925' + - '3248' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:47 GMT + - Thu, 06 Feb 2020 00:14:06 GMT expires: - '-1' pragma: @@ -14239,15 +14724,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''32b1e4d4-6cd5-47b4-a935-169da8a5c262'' could not be found."}}' + ''315c850a-272d-4502-8935-b79010405970'' could not be found."}}' headers: cache-control: - no-cache @@ -14256,7 +14741,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:48 GMT + - Thu, 06 Feb 2020 00:14:07 GMT expires: - '-1' pragma: @@ -14283,41 +14768,40 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970?api-version=2019-09-01 response: body: string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This + VMs that are not joined to the specified domain","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines - on which the specified services are not installed and ''Running''. It also - creates a system-assigned managed identity and deploys the VM extension for - Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service - names (supports wildcards)","description":"A semicolon-separated list of the - names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', - ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + that are not joined to the specified domain. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DomainName":{"type":"String","metadata":{"displayName":"Domain + Name (FQDN)","description":"The fully qualified domain name (FQDN) that the + Windows VMs should be joined to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[DomainMembership]WindowsDomainMembership;DomainName'', + ''='', parameters(''DomainName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDomainMembership"},"DomainName":{"value":"[parameters(''DomainName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DomainName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[DomainMembership]WindowsDomainMembership;DomainName","value":"[parameters(''DomainName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"}' + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970","type":"Microsoft.Authorization/policyDefinitions","name":"315c850a-272d-4502-8935-b79010405970"}' headers: cache-control: - no-cache content-length: - - '6078' + - '6390' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:49 GMT + - Thu, 06 Feb 2020 00:14:07 GMT expires: - '-1' pragma: @@ -14348,15 +14832,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''3470477a-b35a-49db-aca5-1073d04524fe'' could not be found."}}' + ''32133ab0-ee4b-4b44-98d6-042180979d50'' could not be found."}}' headers: cache-control: - no-cache @@ -14365,7 +14849,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:50 GMT + - Thu, 06 Feb 2020 00:14:08 GMT expires: - '-1' pragma: @@ -14392,37 +14876,140 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit - Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Linux virtual machines - that have accounts without passwords. It also creates a system-assigned managed - identity and deploys the VM extension for Guest Configuration. This policy - should only be used along with its corresponding audit policy in an initiative. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + string: '{"properties":{"displayName":"[Preview]: Audit Log Analytics Agent + Deployment - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports + VMs as non-compliant if the VM Image (OS) is not in the list defined and the + agent is not installed. The list of OS images will be updated over time as + support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Windows OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: + List of VM images that have supported Linux OS to add to scope","description":"Example + value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"anyOf":[{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_windows'')]"},{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude_linux'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"12*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"14.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"16.04*LTS"},{"field":"Microsoft.Compute/imageSKU","like":"18.04*LTS"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Oracle"},{"field":"Microsoft.Compute/imageOffer","equals":"Oracle-Linux"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7.*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50","type":"Microsoft.Authorization/policyDefinitions","name":"32133ab0-ee4b-4b44-98d6-042180979d50"}' + headers: + cache-control: + - no-cache + content-length: + - '5951' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:08 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''32b1e4d4-6cd5-47b4-a935-169da8a5c262'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:09 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows + VMs on which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + on which the specified services are not installed and ''Running''. It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ServiceName":{"type":"String","metadata":{"displayName":"Service + names (supports wildcards)","description":"A semicolon-separated list of the + names of the services that should be installed and ''Running''. e.g. ''WinRm;Wi*''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsServiceStatus]WindowsServiceStatus1;ServiceName'', + ''='', parameters(''ServiceName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsServiceStatus"},"ServiceName":{"value":"[parameters(''ServiceName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ServiceName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName","value":"[parameters(''ServiceName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"}' + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262","type":"Microsoft.Authorization/policyDefinitions","name":"32b1e4d4-6cd5-47b4-a935-169da8a5c262"}' headers: cache-control: - no-cache content-length: - - '5660' + - '6489' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:51 GMT + - Thu, 06 Feb 2020 00:14:09 GMT expires: - '-1' pragma: @@ -14453,15 +15040,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''34c877ad-507e-4c82-993e-3452a6e0ad3c'' could not be found."}}' + ''3470477a-b35a-49db-aca5-1073d04524fe'' could not be found."}}' headers: cache-control: - no-cache @@ -14470,7 +15057,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:51 GMT + - Thu, 06 Feb 2020 00:14:09 GMT expires: - '-1' pragma: @@ -14497,30 +15084,37 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Audit unrestricted network access to - storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit - unrestricted network access in your storage account firewall settings. Instead, - configure network rules so only applications from allowed networks can access - the storage account. To allow connections from specific internet or on-premise - clients, access can be granted to traffic from specific Azure virtual networks - or to public internet IP address ranges","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"}' + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit + Linux VMs that have accounts without passwords","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that have accounts without passwords. It also creates a system-assigned managed + identity and deploys the VM extension for Guest Configuration. This policy + should only be used along with its corresponding audit policy in an initiative. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid232"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe","type":"Microsoft.Authorization/policyDefinitions","name":"3470477a-b35a-49db-aca5-1073d04524fe"}' headers: cache-control: - no-cache content-length: - - '1158' + - '6131' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:52 GMT + - Thu, 06 Feb 2020 00:14:10 GMT expires: - '-1' pragma: @@ -14551,7 +15145,105 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''34c877ad-507e-4c82-993e-3452a6e0ad3c'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:10 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Audit unrestricted network access to + storage accounts","policyType":"BuiltIn","mode":"Indexed","description":"Audit + unrestricted network access in your storage account firewall settings. Instead, + configure network rules so only applications from allowed networks can access + the storage account. To allow connections from specific internet or on-premise + clients, access can be granted to traffic from specific Azure virtual networks + or to public internet IP address ranges","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","equals":"Allow"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c","type":"Microsoft.Authorization/policyDefinitions","name":"34c877ad-507e-4c82-993e-3452a6e0ad3c"}' + headers: + cache-control: + - no-cache + content-length: + - '1176' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:10 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14568,7 +15260,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:53 GMT + - Thu, 06 Feb 2020 00:14:09 GMT expires: - '-1' pragma: @@ -14595,7 +15287,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14606,19 +15298,19 @@ interactions: be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"2.0.0","category":"Logic Apps"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d","type":"Microsoft.Authorization/policyDefinitions","name":"34f95f76-5386-4de7-b824-0d8478470c9d"}' headers: cache-control: - no-cache content-length: - - '1780' + - '1894' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:54 GMT + - Thu, 06 Feb 2020 00:14:09 GMT expires: - '-1' pragma: @@ -14649,7 +15341,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14666,7 +15358,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:55 GMT + - Thu, 06 Feb 2020 00:14:12 GMT expires: - '-1' pragma: @@ -14693,7 +15385,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14707,7 +15399,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MaximumPasswordAge","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MaximumPasswordAge"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -14719,11 +15412,11 @@ interactions: cache-control: - no-cache content-length: - - '5244' + - '5678' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:56 GMT + - Thu, 06 Feb 2020 00:14:12 GMT expires: - '-1' pragma: @@ -14754,7 +15447,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14771,7 +15464,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:56 GMT + - Thu, 06 Feb 2020 00:14:13 GMT expires: - '-1' pragma: @@ -14798,7 +15491,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14808,18 +15501,18 @@ interactions: string: '{"properties":{"displayName":"CORS should not allow every resource to access your API App","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. - Allow only required domains to interact with your API app.","metadata":{"category":"App + Allow only required domains to interact with your API app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac","type":"Microsoft.Authorization/policyDefinitions","name":"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"}' headers: cache-control: - no-cache content-length: - - '1056' + - '1074' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:57 GMT + - Thu, 06 Feb 2020 00:14:13 GMT expires: - '-1' pragma: @@ -14850,7 +15543,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14867,7 +15560,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:58 GMT + - Thu, 06 Feb 2020 00:14:14 GMT expires: - '-1' pragma: @@ -14894,7 +15587,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14905,16 +15598,16 @@ interactions: with a network security group","policyType":"BuiltIn","mode":"All","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway - to stop functioning.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"}' + to stop functioning.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},{"field":"name","equals":"GatewaySubnet"},{"field":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","exists":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010","type":"Microsoft.Authorization/policyDefinitions","name":"35f9c03a-cc27-418e-9c0c-539ff999d010"}' headers: cache-control: - no-cache content-length: - - '845' + - '863' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:04:59 GMT + - Thu, 06 Feb 2020 00:14:14 GMT expires: - '-1' pragma: @@ -14945,7 +15638,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14962,7 +15655,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:00 GMT + - Thu, 06 Feb 2020 00:14:14 GMT expires: - '-1' pragma: @@ -14989,7 +15682,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -14998,18 +15691,18 @@ interactions: body: string: '{"properties":{"displayName":"Deploy Advanced Threat Protection on Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy enables Advanced Threat Protection on Storage Accounts.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"storageAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''storageAccountName''), ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"storageAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c","type":"Microsoft.Authorization/policyDefinitions","name":"361c2074-3595-4e5d-8cab-4f21dffc835c"}' headers: cache-control: - no-cache content-length: - - '1643' + - '1661' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:00 GMT + - Thu, 06 Feb 2020 00:14:14 GMT expires: - '-1' pragma: @@ -15040,7 +15733,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15057,7 +15750,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:01 GMT + - Thu, 06 Feb 2020 00:14:16 GMT expires: - '-1' pragma: @@ -15084,7 +15777,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15094,17 +15787,17 @@ interactions: string: '{"properties":{"displayName":"Automation account variables should be encrypted","policyType":"BuiltIn","mode":"All","description":"It is important to enable encryption of Automation account variable assets when storing sensitive - data","metadata":{"category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + data","metadata":{"version":"1.0.0","category":"Automation"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Automation/automationAccounts/variables"},{"field":"Microsoft.Automation/automationAccounts/variables/isEncrypted","notEquals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735","type":"Microsoft.Authorization/policyDefinitions","name":"3657f5a0-770e-44a3-b44e-9431ba1e9735"}' headers: cache-control: - no-cache content-length: - - '913' + - '931' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:01 GMT + - Thu, 06 Feb 2020 00:14:16 GMT expires: - '-1' pragma: @@ -15135,7 +15828,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15152,7 +15845,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:03 GMT + - Thu, 06 Feb 2020 00:14:16 GMT expires: - '-1' pragma: @@ -15179,7 +15872,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15187,17 +15880,17 @@ interactions: response: body: string: '{"properties":{"displayName":"Deploy Threat Detection on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), + policy ensures that Threat Detection is enabled on SQL Servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}}]},"parameters":{"serverName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5","type":"Microsoft.Authorization/policyDefinitions","name":"36d49e87-48c4-4f2e-beed-ba4ed02b71f5"}' headers: cache-control: - no-cache content-length: - - '1349' + - '1367' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:03 GMT + - Thu, 06 Feb 2020 00:14:16 GMT expires: - '-1' pragma: @@ -15228,7 +15921,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15245,7 +15938,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:04 GMT + - Thu, 06 Feb 2020 00:14:17 GMT expires: - '-1' pragma: @@ -15272,40 +15965,41 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Security''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"Network - Security: Configure encryption types allowed for Kerberos","description":"Specifies - the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"Network - security: LAN Manager authentication level","description":"Specify which challenge-response - authentication protocol is used for network logons. This choice affects the - level of authentication protocol used by clients, the level of session security - negotiated, and the level of authentication accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"Network - security: LDAP client signing requirements","description":"Specify the level - of data signing that is requested on behalf of clients that issue LDAP BIND - requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - clients","description":"Specifies which behaviors are allowed by clients for - applications using the NTLM Security Support Provider (SSP). The SSP Interface + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"String","metadata":{"displayName":"[Preview]: + Network Security: Configure encryption types allowed for Kerberos","description":"Specifies + the encryption types that Kerberos is allowed to use."},"defaultValue":"2147483644"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LAN Manager authentication level","description":"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers."},"defaultValue":"5"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: LDAP client signing requirements","description":"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests."},"defaultValue":"1"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients","description":"Specifies which behaviors are allowed by clients + for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers - for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"Network - security: Minimum session security for NTLM SSP based (including secure RPC) - servers","description":"Specifies which behaviors are allowed by servers for - applications using the NTLM Security Support Provider (SSP). The SSP Interface - (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + for more information."},"defaultValue":"537395200"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"String","metadata":{"displayName":"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers","description":"Specifies which behaviors are allowed by servers + for applications using the NTLM Security Support Provider (SSP). The SSP Interface + (SSPI) is used by applications that need authentication services."},"defaultValue":"537395200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network Security: Configure encryption types allowed for Kerberos;ExpectedValue'', ''='', parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos''), '','', ''Network security: LAN Manager authentication level;ExpectedValue'', @@ -15315,7 +16009,8 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients''), '','', ''Network security: Minimum session security for NTLM SSP based (including - secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + secure RPC) servers;ExpectedValue'', ''='', parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkSecurity"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},"NetworkSecurityLANManagerAuthenticationLevel":{"value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},"NetworkSecurityLDAPClientSigningRequirements":{"value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos":{"type":"string"},"NetworkSecurityLANManagerAuthenticationLevel":{"type":"string"},"NetworkSecurityLDAPClientSigningRequirements":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients":{"type":"string"},"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network @@ -15323,17 +16018,28 @@ interactions: security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network security: Minimum session security for NTLM SSP based (including secure RPC) - servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue","value":"[parameters(''NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'')]"},{"name":"Network + security: LAN Manager authentication level;ExpectedValue","value":"[parameters(''NetworkSecurityLANManagerAuthenticationLevel'')]"},{"name":"Network + security: LDAP client signing requirements;ExpectedValue","value":"[parameters(''NetworkSecurityLDAPClientSigningRequirements'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'')]"},{"name":"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue","value":"[parameters(''NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b","type":"Microsoft.Authorization/policyDefinitions","name":"36e17963-7202-494a-80c3-f508211c826b"}' headers: cache-control: - no-cache content-length: - - '9632' + - '12015' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:04 GMT + - Thu, 06 Feb 2020 00:14:17 GMT expires: - '-1' pragma: @@ -15364,7 +16070,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15381,7 +16087,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:05 GMT + - Thu, 06 Feb 2020 00:14:18 GMT expires: - '-1' pragma: @@ -15408,33 +16114,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Interactive Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsInteractiveLogon"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9","type":"Microsoft.Authorization/policyDefinitions","name":"3750712b-43d0-478e-9966-d2c26f6141b9"}' headers: cache-control: - no-cache content-length: - - '4392' + - '5780' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:07 GMT + - Thu, 06 Feb 2020 00:14:18 GMT expires: - '-1' pragma: @@ -15465,7 +16176,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15482,7 +16193,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:08 GMT + - Thu, 06 Feb 2020 00:14:18 GMT expires: - '-1' pragma: @@ -15509,7 +16220,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15522,17 +16233,17 @@ interactions: such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and - resource groups for easier security management","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + resource groups for easier security management","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","in":["Microsoft.ClassicStorage/storageAccounts","Microsoft.Storage/StorageAccounts"]},{"value":"[field(''type'')]","equals":"Microsoft.ClassicStorage/storageAccounts"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606","type":"Microsoft.Authorization/policyDefinitions","name":"37e0d2fe-28a5-43d6-a273-67d37d1f5606"}' headers: cache-control: - no-cache content-length: - - '1254' + - '1272' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:09 GMT + - Thu, 06 Feb 2020 00:14:18 GMT expires: - '-1' pragma: @@ -15563,7 +16274,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15580,7 +16291,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:09 GMT + - Thu, 06 Feb 2020 00:14:19 GMT expires: - '-1' pragma: @@ -15607,7 +16318,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15618,19 +16329,19 @@ interactions: enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"2.0.0","category":"Internet of Things"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Devices/IotHubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4","type":"Microsoft.Authorization/policyDefinitions","name":"383856f8-de7f-44a2-81fc-e5135b5c2aa4"}' headers: cache-control: - no-cache content-length: - - '1785' + - '1899' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:10 GMT + - Thu, 06 Feb 2020 00:14:19 GMT expires: - '-1' pragma: @@ -15661,7 +16372,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15678,7 +16389,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:12 GMT + - Thu, 06 Feb 2020 00:14:19 GMT expires: - '-1' pragma: @@ -15705,7 +16416,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15716,17 +16427,17 @@ interactions: managed instance should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL managed instances.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL managed instances.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"allOf":[{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","notEquals":""},{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8","type":"Microsoft.Authorization/policyDefinitions","name":"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"}' headers: cache-control: - no-cache content-length: - - '1325' + - '1343' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:12 GMT + - Thu, 06 Feb 2020 00:14:20 GMT expires: - '-1' pragma: @@ -15757,7 +16468,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15774,7 +16485,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:13 GMT + - Thu, 06 Feb 2020 00:14:21 GMT expires: - '-1' pragma: @@ -15801,7 +16512,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15810,17 +16521,18 @@ interactions: body: string: '{"properties":{"displayName":"FTPS only should be required in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15","type":"Microsoft.Authorization/policyDefinitions","name":"399b2637-a50f-4f95-96f8-3a145476eb15"}' headers: cache-control: - no-cache content-length: - - '951' + - '969' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:13 GMT + - Thu, 06 Feb 2020 00:14:21 GMT expires: - '-1' pragma: @@ -15851,7 +16563,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15868,7 +16580,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:14 GMT + - Thu, 06 Feb 2020 00:14:21 GMT expires: - '-1' pragma: @@ -15895,7 +16607,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15907,17 +16619,17 @@ interactions: Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to - access.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"}' + access.","metadata":{"version":"1.0.0-preview","category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94","type":"Microsoft.Authorization/policyDefinitions","name":"3abeb944-26af-43ee-b83d-32aaf060fb94"}' headers: cache-control: - no-cache content-length: - - '1199' + - '1236' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:15 GMT + - Thu, 06 Feb 2020 00:14:21 GMT expires: - '-1' pragma: @@ -15948,7 +16660,103 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''3b980d31-7904-4bb7-8575-5665739a8052'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:23 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"An activity log alert should exist for + specific Security operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Security operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Security Operation name for which activity log alert + should exist"},"allowedValues":["Microsoft.Security/policies/write","Microsoft.Security/securitySolutions/write","Microsoft.Security/securitySolutions/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Security"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052","type":"Microsoft.Authorization/policyDefinitions","name":"3b980d31-7904-4bb7-8575-5665739a8052"}' + headers: + cache-control: + - no-cache + content-length: + - '2063' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:14:23 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -15965,7 +16773,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:17 GMT + - Thu, 06 Feb 2020 00:14:23 GMT expires: - '-1' pragma: @@ -15992,7 +16800,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16005,7 +16813,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerSemiAnnual"},{"field":"Microsoft.Compute/imageSKU","in":["Datacenter-Core-1709-smalldisk","Datacenter-Core-1709-with-Containers-smalldisk","Datacenter-Core-1803-with-Containers-smalldisk"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServerHPCPack"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServerHPCPack"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"anyOf":[{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2016-BYOL"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2"},{"field":"Microsoft.Compute/imageOffer","like":"*-WS2012R2-BYOL"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftRServer"},{"field":"Microsoft.Compute/imageOffer","equals":"MLServer-WS2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftVisualStudio"},{"field":"Microsoft.Compute/imageOffer","in":["VisualStudio","Windows"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftDynamicsAX"},{"field":"Microsoft.Compute/imageOffer","equals":"Dynamics"},{"field":"Microsoft.Compute/imageSKU","equals":"Pre-Req-AX7-Onebox-U8"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","equals":"windows-data-science-vm"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsDesktop"},{"field":"Microsoft.Compute/imageOffer","equals":"Windows-10"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentWindows"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentWindows","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -16014,11 +16822,11 @@ interactions: cache-control: - no-cache content-length: - - '5386' + - '5412' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:17 GMT + - Thu, 06 Feb 2020 00:14:23 GMT expires: - '-1' pragma: @@ -16049,7 +16857,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16066,7 +16874,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:18 GMT + - Thu, 06 Feb 2020 00:14:24 GMT expires: - '-1' pragma: @@ -16093,7 +16901,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16106,7 +16914,7 @@ interactions: list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -16121,11 +16929,11 @@ interactions: cache-control: - no-cache content-length: - - '6182' + - '6208' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:19 GMT + - Thu, 06 Feb 2020 00:14:24 GMT expires: - '-1' pragma: @@ -16156,7 +16964,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16173,7 +16981,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:20 GMT + - Thu, 06 Feb 2020 00:14:25 GMT expires: - '-1' pragma: @@ -16200,7 +17008,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16210,17 +17018,17 @@ interactions: string: '{"properties":{"displayName":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them - from attacks.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from attacks.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OsVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","type":"Microsoft.Authorization/policyDefinitions","name":"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"}' headers: cache-control: - no-cache content-length: - - '1072' + - '1090' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:21 GMT + - Thu, 06 Feb 2020 00:14:25 GMT expires: - '-1' pragma: @@ -16251,7 +17059,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16268,7 +17076,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:21 GMT + - Thu, 06 Feb 2020 00:14:25 GMT expires: - '-1' pragma: @@ -16295,7 +17103,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16306,7 +17114,7 @@ interactions: Services to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -16323,11 +17131,11 @@ interactions: cache-control: - no-cache content-length: - - '3746' + - '3764' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:23 GMT + - Thu, 06 Feb 2020 00:14:25 GMT expires: - '-1' pragma: @@ -16358,7 +17166,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16375,7 +17183,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:23 GMT + - Thu, 06 Feb 2020 00:14:26 GMT expires: - '-1' pragma: @@ -16402,7 +17210,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16415,17 +17223,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2","type":"Microsoft.Authorization/policyDefinitions","name":"3d7b154e-2700-4c8c-9e46-cb65ac1578c2"}' headers: cache-control: - no-cache content-length: - - '2644' + - '3228' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:24 GMT + - Thu, 06 Feb 2020 00:14:26 GMT expires: - '-1' pragma: @@ -16456,7 +17264,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16473,7 +17281,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:25 GMT + - Thu, 06 Feb 2020 00:14:27 GMT expires: - '-1' pragma: @@ -16500,7 +17308,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16510,11 +17318,11 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs","policyType":"BuiltIn","mode":"Indexed","description":"This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the - selected Log Analytics workspace","metadata":{"category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), + selected Log Analytics workspace","metadata":{"version":"1.0.0-deprecated","category":"Compute","deprecated":true},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"[Deprecated]: + Log Analytics workspace","description":"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant ''Log Analytics Contributor'' permissions (or similar) + to the policy assignment''s principal ID.","strongType":"omsWorkspace"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS","16.04-LTS","16.04.0-LTS","14.04.2-LTS","12.04.5-LTS"]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"}},"resources":[{"name":"[concat(parameters(''vmName''),''/omsPolicy'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","apiVersion":"2017-12-01","properties":{"publisher":"Microsoft.EnterpriseCloud.Monitoring","type":"OmsAgentForLinux","typeHandlerVersion":"1.4","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters(''logAnalytics''), ''2015-03-20'').customerId]"},"protectedSettings":{"workspaceKey":"[listKeys(parameters(''logAnalytics''), ''2015-03-20'').primarySharedKey]"}}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled monitoring for Linux VM'', '': '', parameters(''vmName''))]"}}},"parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38","type":"Microsoft.Authorization/policyDefinitions","name":"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"}' @@ -16522,11 +17330,11 @@ interactions: cache-control: - no-cache content-length: - - '2773' + - '2816' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:26 GMT + - Thu, 06 Feb 2020 00:14:27 GMT expires: - '-1' pragma: @@ -16557,7 +17365,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16574,7 +17382,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:27 GMT + - Thu, 06 Feb 2020 00:14:28 GMT expires: - '-1' pragma: @@ -16601,7 +17409,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16610,17 +17418,17 @@ interactions: body: string: '{"properties":{"displayName":"Azure Monitor solution ''Security and Audit'' must be deployed","policyType":"BuiltIn","mode":"All","description":"This - policy ensures that Security and Audit is deployed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy ensures that Security and Audit is deployed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.OperationsManagement/solutions","existenceCondition":{"allOf":[{"field":"Microsoft.OperationsManagement/solutions/provisioningState","equals":"Succeeded"},{"field":"name","like":"Security(*)"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e","type":"Microsoft.Authorization/policyDefinitions","name":"3e596b57-105f-48a6-be97-03e9243bad6e"}' headers: cache-control: - no-cache content-length: - - '1005' + - '1023' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:28 GMT + - Thu, 06 Feb 2020 00:14:28 GMT expires: - '-1' pragma: @@ -16651,7 +17459,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16668,7 +17476,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:30 GMT + - Thu, 06 Feb 2020 00:14:29 GMT expires: - '-1' pragma: @@ -16695,7 +17503,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16705,18 +17513,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications that are not using latest supported PHP Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported PHP version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"}' + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPHP","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66","type":"Microsoft.Authorization/policyDefinitions","name":"3fe37002-5d00-4b37-a301-da09e3a0ca66"}' headers: cache-control: - no-cache content-length: - - '1198' + - '1226' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:31 GMT + - Thu, 06 Feb 2020 00:14:29 GMT expires: - '-1' pragma: @@ -16747,7 +17555,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16764,7 +17572,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:31 GMT + - Thu, 06 Feb 2020 00:14:29 GMT expires: - '-1' pragma: @@ -16791,7 +17599,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16804,17 +17612,17 @@ interactions: forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, - eavesdropping, and session-hijacking","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + eavesdropping, and session-hijacking","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9","type":"Microsoft.Authorization/policyDefinitions","name":"404c3081-a854-4457-ae30-26a93ef643f9"}' headers: cache-control: - no-cache content-length: - - '1212' + - '1230' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:32 GMT + - Thu, 06 Feb 2020 00:14:30 GMT expires: - '-1' pragma: @@ -16845,7 +17653,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16862,7 +17670,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:33 GMT + - Thu, 06 Feb 2020 00:14:31 GMT expires: - '-1' pragma: @@ -16889,52 +17697,61 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"Always - use classic logon","description":"Specifies whether to force the user to log - on to the computer using the classic logon screen. This setting only works - when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"Boot-Start - Driver Initialization Policy","description":"Specifies which boot-start drivers - are initialized based on a classification determined by an Early Launch Antimalware - boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"Enable - Windows NTP Client","description":"Specifies whether the Windows NTP Client - is enabled. Enabling the Windows NTP Client allows your computer to synchronize - its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"Turn - on convenience PIN sign-in","description":"Specifies whether a domain user - can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AlwaysUseClassicLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Always use classic logon","description":"Specifies whether to force the user + to log on to the computer using the classic logon screen. This setting only + works when the computer is not on a domain."},"defaultValue":"0"},"BootStartDriverInitializationPolicy":{"type":"String","metadata":{"displayName":"[Preview]: + Boot-Start Driver Initialization Policy","description":"Specifies which boot-start + drivers are initialized based on a classification determined by an Early Launch + Antimalware boot-start driver."},"defaultValue":"3"},"EnableWindowsNTPClient":{"type":"String","metadata":{"displayName":"[Preview]: + Enable Windows NTP Client","description":"Specifies whether the Windows NTP + Client is enabled. Enabling the Windows NTP Client allows your computer to + synchronize its computer clock with other NTP servers."},"defaultValue":"1"},"TurnOnConveniencePINSignin":{"type":"String","metadata":{"displayName":"[Preview]: + Turn on convenience PIN sign-in","description":"Specifies whether a domain + user can sign in using a convenience PIN."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Always use classic logon;ExpectedValue'', ''='', parameters(''AlwaysUseClassicLogon''), '','', ''Boot-Start Driver Initialization Policy;ExpectedValue'', ''='', parameters(''BootStartDriverInitializationPolicy''), '','', ''Enable Windows NTP Client;ExpectedValue'', ''='', parameters(''EnableWindowsNTPClient''), - '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn on convenience PIN sign-in;ExpectedValue'', ''='', parameters(''TurnOnConveniencePINSignin'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesSystem"},"AlwaysUseClassicLogon":{"value":"[parameters(''AlwaysUseClassicLogon'')]"},"BootStartDriverInitializationPolicy":{"value":"[parameters(''BootStartDriverInitializationPolicy'')]"},"EnableWindowsNTPClient":{"value":"[parameters(''EnableWindowsNTPClient'')]"},"TurnOnConveniencePINSignin":{"value":"[parameters(''TurnOnConveniencePINSignin'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AlwaysUseClassicLogon":{"type":"string"},"BootStartDriverInitializationPolicy":{"type":"string"},"EnableWindowsNTPClient":{"type":"string"},"TurnOnConveniencePINSignin":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always + use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start + Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable + Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Always use classic logon;ExpectedValue","value":"[parameters(''AlwaysUseClassicLogon'')]"},{"name":"Boot-Start Driver Initialization Policy;ExpectedValue","value":"[parameters(''BootStartDriverInitializationPolicy'')]"},{"name":"Enable Windows NTP Client;ExpectedValue","value":"[parameters(''EnableWindowsNTPClient'')]"},{"name":"Turn - on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on convenience PIN sign-in;ExpectedValue","value":"[parameters(''TurnOnConveniencePINSignin'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899","type":"Microsoft.Authorization/policyDefinitions","name":"40917425-69db-4018-8dae-2a0556cef899"}' headers: cache-control: - no-cache content-length: - - '7005' + - '8899' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:34 GMT + - Thu, 06 Feb 2020 00:14:31 GMT expires: - '-1' pragma: @@ -16965,7 +17782,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -16982,7 +17799,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:36 GMT + - Thu, 06 Feb 2020 00:14:30 GMT expires: - '-1' pragma: @@ -17009,7 +17826,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17019,17 +17836,17 @@ interactions: string: '{"properties":{"displayName":"Azure Monitor should collect activity logs from all regions","policyType":"BuiltIn","mode":"All","description":"This policy audits the Azure Monitor log profile which does not export activities - from all Azure supported regions including global.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + from all Azure supported regions including global.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiacentral2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"australiasoutheast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"brazilsouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"canadaeast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"centralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"eastus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"francesouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japaneast"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"japanwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreacentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"koreasouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"northeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricanorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southafricawest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"southeastasia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaecentral"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uaenorth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"uksouth"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"ukwest"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westcentralus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westeurope"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westindia"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"westus2"}},{"not":{"field":"Microsoft.Insights/logProfiles/locations[*]","notEquals":"global"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9","type":"Microsoft.Authorization/policyDefinitions","name":"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"}' headers: cache-control: - no-cache content-length: - - '4084' + - '4102' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:36 GMT + - Thu, 06 Feb 2020 00:14:30 GMT expires: - '-1' pragma: @@ -17060,7 +17877,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17077,7 +17894,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:38 GMT + - Thu, 06 Feb 2020 00:14:32 GMT expires: - '-1' pragma: @@ -17104,7 +17921,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17115,19 +17932,19 @@ interactions: be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"2.0.0","category":"Batch"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Batch/batchAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d","type":"Microsoft.Authorization/policyDefinitions","name":"428256e6-1fac-4f48-a757-df34c2b3336d"}' headers: cache-control: - no-cache content-length: - - '1783' + - '1897' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:38 GMT + - Thu, 06 Feb 2020 00:14:32 GMT expires: - '-1' pragma: @@ -17158,7 +17975,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17175,7 +17992,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:40 GMT + - Thu, 06 Feb 2020 00:14:33 GMT expires: - '-1' pragma: @@ -17202,39 +18019,45 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Detailed Tracking''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"Audit - Process Termination","description":"Specifies whether audit events are generated - when a process has exited. Recommended for monitoring termination of critical - processes."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditProcessTermination":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Process Termination","description":"Specifies whether audit events are + generated when a process has exited. Recommended for monitoring termination + of critical processes."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Process Termination;ExpectedValue'', ''='', parameters(''AuditProcessTermination'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesDetailedTracking"},"AuditProcessTermination":{"value":"[parameters(''AuditProcessTermination'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditProcessTermination":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Process Termination;ExpectedValue","value":"[parameters(''AuditProcessTermination'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505","type":"Microsoft.Authorization/policyDefinitions","name":"42a07bbf-ffcf-459a-b4b1-30ecd118a505"}' headers: cache-control: - no-cache content-length: - - '5248' + - '6775' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:41 GMT + - Thu, 06 Feb 2020 00:14:33 GMT expires: - '-1' pragma: @@ -17265,7 +18088,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17282,7 +18105,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:42 GMT + - Thu, 06 Feb 2020 00:14:33 GMT expires: - '-1' pragma: @@ -17309,44 +18132,51 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - System settings''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"System + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"String","metadata":{"displayName":"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies","description":"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies","description":"Specifies whether digital certificates are processed - when software restriction policies are enabled and a user or process attempts - to run software with an .exe file name extension. It enables or disables certificate - rules (a type of software restriction policies rule). For certificate rules - to take effect in software restriction policies, you must enable this policy - setting."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''System + Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue'', ''='', parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsSystemsettings"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"System settings: Use Certificate Rules on Windows Executables for Software Restriction - Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Policies;ExpectedValue","value":"[parameters(''SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5","type":"Microsoft.Authorization/policyDefinitions","name":"437a1f8f-8552-47a8-8b12-a2fee3269dd5"}' headers: cache-control: - no-cache content-length: - - '5952' + - '7609' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:43 GMT + - Thu, 06 Feb 2020 00:14:34 GMT expires: - '-1' pragma: @@ -17377,7 +18207,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17394,7 +18224,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:44 GMT + - Thu, 06 Feb 2020 00:14:34 GMT expires: - '-1' pragma: @@ -17421,7 +18251,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17431,17 +18261,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Monitor permissive network access in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Network Security Groups with too permissive rules will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"}' + Center as recommendations","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"permissiveNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed","type":"Microsoft.Authorization/policyDefinitions","name":"44452482-524f-4bf4-b852-0bff7cc4a3ed"}' headers: cache-control: - no-cache content-length: - - '1118' + - '1161' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:45 GMT + - Thu, 06 Feb 2020 00:14:34 GMT expires: - '-1' pragma: @@ -17472,7 +18303,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17489,7 +18320,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:46 GMT + - Thu, 06 Feb 2020 00:14:35 GMT expires: - '-1' pragma: @@ -17516,7 +18347,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17527,16 +18358,16 @@ interactions: 12.0","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than - 12.0.","metadata":{"category":"SQL","deprecated":"true"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"}' + 12.0.","metadata":{"version":"1.0.0-deprecated","category":"SQL","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers"},{"not":{"field":"Microsoft.Sql/servers/version","equals":"12.0"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf","type":"Microsoft.Authorization/policyDefinitions","name":"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"}' headers: cache-control: - no-cache content-length: - - '744' + - '771' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:47 GMT + - Thu, 06 Feb 2020 00:14:35 GMT expires: - '-1' pragma: @@ -17567,7 +18398,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17584,7 +18415,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:48 GMT + - Thu, 06 Feb 2020 00:14:36 GMT expires: - '-1' pragma: @@ -17611,7 +18442,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17621,18 +18452,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"}' + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06","type":"Microsoft.Authorization/policyDefinitions","name":"46544d7b-1f0d-46f5-81da-5c1351de1b06"}' headers: cache-control: - no-cache content-length: - - '1207' + - '1235' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:49 GMT + - Thu, 06 Feb 2020 00:14:36 GMT expires: - '-1' pragma: @@ -17663,7 +18494,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17680,7 +18511,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:50 GMT + - Thu, 06 Feb 2020 00:14:37 GMT expires: - '-1' pragma: @@ -17707,7 +18538,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17718,16 +18549,16 @@ interactions: Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"All","description":"This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security - patches every month.","metadata":{"category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"}' + patches every month.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade","notEquals":"True"},{"field":"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade","notEquals":"True"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"465f0161-0087-490a-9ad9-ad6217f4f43a"}' headers: cache-control: - no-cache content-length: - - '947' + - '965' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:51 GMT + - Thu, 06 Feb 2020 00:14:37 GMT expires: - '-1' pragma: @@ -17758,7 +18589,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17775,7 +18606,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:53 GMT + - Thu, 06 Feb 2020 00:14:38 GMT expires: - '-1' pragma: @@ -17802,7 +18633,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17812,17 +18643,17 @@ interactions: string: '{"properties":{"displayName":"Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription","policyType":"BuiltIn","mode":"All","description":"Enable automatic provisioning of the Log Analytics monitoring agent in order to collect - security data","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + security data","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/autoProvisioningSettings","existenceCondition":{"field":"Microsoft.Security/autoProvisioningSettings/autoProvision","equals":"On"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17","type":"Microsoft.Authorization/policyDefinitions","name":"475aae12-b88a-4572-8b36-9b712b2b3a17"}' headers: cache-control: - no-cache content-length: - - '1039' + - '1057' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:54 GMT + - Thu, 06 Feb 2020 00:14:38 GMT expires: - '-1' pragma: @@ -17853,7 +18684,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17870,7 +18701,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:55 GMT + - Thu, 06 Feb 2020 00:14:39 GMT expires: - '-1' pragma: @@ -17897,7 +18728,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17906,18 +18737,18 @@ interactions: body: string: '{"properties":{"displayName":"Adaptive Application Controls should be enabled on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"category":"Security + Application Whitelist configuration will be monitored by Azure Security Center","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"applicationWhitelisting","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc","type":"Microsoft.Authorization/policyDefinitions","name":"47a6b606-51aa-4496-8bb7-64b11cf66adc"}' headers: cache-control: - no-cache content-length: - - '1071' + - '1089' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:56 GMT + - Thu, 06 Feb 2020 00:14:39 GMT expires: - '-1' pragma: @@ -17948,7 +18779,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -17965,7 +18796,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:58 GMT + - Thu, 06 Feb 2020 00:14:39 GMT expires: - '-1' pragma: @@ -17992,7 +18823,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18002,18 +18833,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit IP restrictions configuration for an API App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your - app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"}' + app. Use of IP Restrictions protects an API app from common attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53","type":"Microsoft.Authorization/policyDefinitions","name":"48893b84-a2c8-4d9a-badf-835d5d1b7d53"}' headers: cache-control: - no-cache content-length: - - '1209' + - '1237' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:05:59 GMT + - Thu, 06 Feb 2020 00:14:40 GMT expires: - '-1' pragma: @@ -18044,7 +18875,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18061,7 +18892,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:01 GMT + - Thu, 06 Feb 2020 00:14:41 GMT expires: - '-1' pragma: @@ -18088,7 +18919,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18098,17 +18929,17 @@ interactions: string: '{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure Database for PostgreSQL with geo-redundant backup - not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430","type":"Microsoft.Authorization/policyDefinitions","name":"48af4db5-9b8b-401c-8e74-076be876a430"}' headers: cache-control: - no-cache content-length: - - '916' + - '934' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:02 GMT + - Thu, 06 Feb 2020 00:14:41 GMT expires: - '-1' pragma: @@ -18139,7 +18970,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18156,7 +18987,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:03 GMT + - Thu, 06 Feb 2020 00:14:42 GMT expires: - '-1' pragma: @@ -18183,7 +19014,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18195,7 +19026,7 @@ interactions: newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', @@ -18205,11 +19036,11 @@ interactions: cache-control: - no-cache content-length: - - '1870' + - '1888' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:04 GMT + - Thu, 06 Feb 2020 00:14:42 GMT expires: - '-1' pragma: @@ -18240,7 +19071,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18257,7 +19088,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:06 GMT + - Thu, 06 Feb 2020 00:14:43 GMT expires: - '-1' pragma: @@ -18284,38 +19115,44 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Audit''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Audit''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"Audit: - Shut down system immediately if unable to log security audits","description":"Audits - if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"String","metadata":{"displayName":"[Preview]: + Audit: Shut down system immediately if unable to log security audits","description":"Audits + if the system will shut down when unable to log Security events."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAudit","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit: Shut down system immediately if unable to log security audits;ExpectedValue'', - ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAudit"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: - Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue","value":"[parameters(''AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3","type":"Microsoft.Authorization/policyDefinitions","name":"498b810c-59cd-4222-9338-352ba146ccf3"}' headers: cache-control: - no-cache content-length: - - '5371' + - '6975' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:06 GMT + - Thu, 06 Feb 2020 00:14:43 GMT expires: - '-1' pragma: @@ -18346,7 +19183,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18363,7 +19200,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:08 GMT + - Thu, 06 Feb 2020 00:14:43 GMT expires: - '-1' pragma: @@ -18390,7 +19227,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18403,7 +19240,7 @@ interactions: or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New ''modify'' effect policies are available that support remediation of tags on existing - resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', @@ -18412,11 +19249,11 @@ interactions: cache-control: - no-cache content-length: - - '1299' + - '1317' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:09 GMT + - Thu, 06 Feb 2020 00:14:43 GMT expires: - '-1' pragma: @@ -18447,7 +19284,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18464,7 +19301,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:10 GMT + - Thu, 06 Feb 2020 00:14:44 GMT expires: - '-1' pragma: @@ -18491,7 +19328,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18505,9 +19342,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', + that should be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -18523,11 +19360,11 @@ interactions: cache-control: - no-cache content-length: - - '6695' + - '7143' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:11 GMT + - Thu, 06 Feb 2020 00:14:44 GMT expires: - '-1' pragma: @@ -18537,7 +19374,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -18558,7 +19395,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18575,7 +19412,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:16 GMT + - Thu, 06 Feb 2020 00:14:45 GMT expires: - '-1' pragma: @@ -18602,7 +19439,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18610,17 +19447,18 @@ interactions: response: body: string: '{"properties":{"displayName":"FTPS should be required in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Enable - FTPS enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + FTPS enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","type":"Microsoft.Authorization/policyDefinitions","name":"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"}' headers: cache-control: - no-cache content-length: - - '933' + - '951' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:17 GMT + - Thu, 06 Feb 2020 00:14:46 GMT expires: - '-1' pragma: @@ -18630,7 +19468,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -18651,7 +19489,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18668,7 +19506,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:18 GMT + - Thu, 06 Feb 2020 00:14:46 GMT expires: - '-1' pragma: @@ -18695,7 +19533,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18705,7 +19543,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Deploy Dependency Agent for Linux VMs","policyType":"BuiltIn","mode":"Indexed","description":"Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined and the agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + is not installed.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachines/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.6"},"resources":[{"type":"Microsoft.Compute/virtualMachines/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -18714,11 +19552,11 @@ interactions: cache-control: - no-cache content-length: - - '4070' + - '4096' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:19 GMT + - Thu, 06 Feb 2020 00:14:46 GMT expires: - '-1' pragma: @@ -18749,7 +19587,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18766,7 +19604,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:21 GMT + - Thu, 06 Feb 2020 00:14:48 GMT expires: - '-1' pragma: @@ -18793,7 +19631,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18804,7 +19642,7 @@ interactions: Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -18821,11 +19659,11 @@ interactions: cache-control: - no-cache content-length: - - '3824' + - '3842' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:21 GMT + - Thu, 06 Feb 2020 00:14:48 GMT expires: - '-1' pragma: @@ -18856,7 +19694,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18873,7 +19711,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:23 GMT + - Thu, 06 Feb 2020 00:14:48 GMT expires: - '-1' pragma: @@ -18900,7 +19738,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18910,18 +19748,18 @@ interactions: string: '{"properties":{"displayName":"A maximum of 3 owners should be designated for your subscription","policyType":"BuiltIn","mode":"All","description":"It is recommended to designate up to 3 subscription owners in order to reduce - the potential for breach by a compromised owner.","metadata":{"category":"Security + the potential for breach by a compromised owner.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DesignateLessThanXOwners","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c","type":"Microsoft.Authorization/policyDefinitions","name":"4f11b553-d42e-4e3a-89be-32ca364cad4c"}' headers: cache-control: - no-cache content-length: - - '1067' + - '1085' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:23 GMT + - Thu, 06 Feb 2020 00:14:48 GMT expires: - '-1' pragma: @@ -18931,7 +19769,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -18952,7 +19790,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -18969,7 +19807,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:24 GMT + - Thu, 06 Feb 2020 00:14:48 GMT expires: - '-1' pragma: @@ -18996,7 +19834,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19006,17 +19844,18 @@ interactions: string: '{"properties":{"displayName":"A security contact email address should be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter an email address to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","type":"Microsoft.Authorization/policyDefinitions","name":"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"}' headers: cache-control: - no-cache content-length: - - '993' + - '1011' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:25 GMT + - Thu, 06 Feb 2020 00:14:49 GMT expires: - '-1' pragma: @@ -19047,7 +19886,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19064,7 +19903,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:27 GMT + - Thu, 06 Feb 2020 00:14:49 GMT expires: - '-1' pragma: @@ -19091,7 +19930,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19102,7 +19941,7 @@ interactions: the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', @@ -19111,11 +19950,11 @@ interactions: cache-control: - no-cache content-length: - - '1235' + - '1253' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:28 GMT + - Thu, 06 Feb 2020 00:14:49 GMT expires: - '-1' pragma: @@ -19146,7 +19985,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19163,7 +20002,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:30 GMT + - Thu, 06 Feb 2020 00:14:50 GMT expires: - '-1' pragma: @@ -19190,7 +20029,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19200,17 +20039,18 @@ interactions: string: '{"properties":{"displayName":"[Preview] Vulnerability Assessment should be enabled on Virtual Machines","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment - on Virtual Machines","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + on Virtual Machines","metadata":{"version":"1.0.0-preview","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"serverVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["NotApplicable","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9","type":"Microsoft.Authorization/policyDefinitions","name":"501541f7-f7e7-4cd6-868c-4190fdad3ac9"}' headers: cache-control: - no-cache content-length: - - '1114' + - '1140' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:31 GMT + - Thu, 06 Feb 2020 00:14:50 GMT expires: - '-1' pragma: @@ -19241,7 +20081,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19258,7 +20098,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:31 GMT + - Thu, 06 Feb 2020 00:14:51 GMT expires: - '-1' pragma: @@ -19285,7 +20125,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19296,7 +20136,7 @@ interactions: to all Azure virtual network gateway connections","policyType":"BuiltIn","mode":"All","description":"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported - algorithms and key strengths - https://aka.ms/AA62kb0","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + algorithms and key strengths - https://aka.ms/AA62kb0","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"},"IPsecEncryption":{"type":"Array","metadata":{"displayName":"IPsec Encryption","description":"IPsec Encryption"}},"IPsecIntegrity":{"type":"Array","metadata":{"displayName":"IPsec Integrity","description":"IPsec Integrity"}},"IKEEncryption":{"type":"Array","metadata":{"displayName":"IKE @@ -19308,11 +20148,11 @@ interactions: cache-control: - no-cache content-length: - - '2246' + - '2264' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:32 GMT + - Thu, 06 Feb 2020 00:14:51 GMT expires: - '-1' pragma: @@ -19322,7 +20162,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -19343,7 +20183,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19360,7 +20200,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:34 GMT + - Thu, 06 Feb 2020 00:14:52 GMT expires: - '-1' pragma: @@ -19387,7 +20227,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19398,17 +20238,17 @@ interactions: for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per - IP for too many invalid password login failures.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + IP for too many invalid password login failures.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"connection_throttling","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd","type":"Microsoft.Authorization/policyDefinitions","name":"5345bb39-67dc-4960-a1bf-427e16b9a0bd"}' headers: cache-control: - no-cache content-length: - - '1148' + - '1166' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:36 GMT + - Thu, 06 Feb 2020 00:14:52 GMT expires: - '-1' pragma: @@ -19418,7 +20258,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -19439,7 +20279,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19456,7 +20296,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:39 GMT + - Thu, 06 Feb 2020 00:14:53 GMT expires: - '-1' pragma: @@ -19483,7 +20323,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19493,18 +20333,18 @@ interactions: string: '{"properties":{"displayName":"CORS should not allow every resource to access your Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. - Allow only required domains to interact with your web app.","metadata":{"category":"App + Allow only required domains to interact with your web app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]","notEquals":"*"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9","type":"Microsoft.Authorization/policyDefinitions","name":"5744710e-cc2f-4ee8-8809-3b11e89f4bc9"}' headers: cache-control: - no-cache content-length: - - '1073' + - '1091' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:40 GMT + - Thu, 06 Feb 2020 00:14:53 GMT expires: - '-1' pragma: @@ -19535,7 +20375,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19552,7 +20392,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:41 GMT + - Thu, 06 Feb 2020 00:14:54 GMT expires: - '-1' pragma: @@ -19579,7 +20419,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19592,18 +20432,18 @@ interactions: instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"}' + which is the recommended TLS level by industry standards, such as PCI DSS","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453","type":"Microsoft.Authorization/policyDefinitions","name":"58d94fc1-a072-47c2-bd37-9cdb38e77453"}' headers: cache-control: - no-cache content-length: - - '1364' + - '1407' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:42 GMT + - Thu, 06 Feb 2020 00:14:54 GMT expires: - '-1' pragma: @@ -19634,7 +20474,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19651,7 +20491,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:44 GMT + - Thu, 06 Feb 2020 00:14:55 GMT expires: - '-1' pragma: @@ -19678,7 +20518,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19691,16 +20531,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"}' + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordAge","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7","type":"Microsoft.Authorization/policyDefinitions","name":"5aa11bbc-5c76-4302-80e5-aba46a4282e7"}' headers: cache-control: - no-cache content-length: - - '2744' + - '3178' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:44 GMT + - Thu, 06 Feb 2020 00:14:55 GMT expires: - '-1' pragma: @@ -19731,7 +20572,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19748,7 +20589,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:45 GMT + - Thu, 06 Feb 2020 00:14:56 GMT expires: - '-1' pragma: @@ -19775,7 +20616,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19788,16 +20629,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"}' + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MinimumPasswordLength","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec","type":"Microsoft.Authorization/policyDefinitions","name":"5aebc8d1-020d-4037-89a0-02043a7524ec"}' headers: cache-control: - no-cache content-length: - - '2781' + - '3215' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:46 GMT + - Thu, 06 Feb 2020 00:14:57 GMT expires: - '-1' pragma: @@ -19828,7 +20670,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19845,7 +20687,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:49 GMT + - Thu, 06 Feb 2020 00:14:56 GMT expires: - '-1' pragma: @@ -19872,7 +20714,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19884,17 +20726,17 @@ interactions: policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}' + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8","type":"Microsoft.Authorization/policyDefinitions","name":"5b842acb-0fe7-41b0-9f40-880ec4ad84d8"}' headers: cache-control: - no-cache content-length: - - '3182' + - '3630' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:50 GMT + - Thu, 06 Feb 2020 00:14:57 GMT expires: - '-1' pragma: @@ -19904,7 +20746,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -19925,7 +20767,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19942,7 +20784,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:52 GMT + - Thu, 06 Feb 2020 00:14:57 GMT expires: - '-1' pragma: @@ -19969,7 +20811,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -19979,18 +20821,18 @@ interactions: string: '{"properties":{"displayName":"Ensure WEB app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.","metadata":{"category":"App + Only clients that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609","type":"Microsoft.Authorization/policyDefinitions","name":"5bb220d9-2698-4ee4-8404-b9c30c9df609"}' headers: cache-control: - no-cache content-length: - - '985' + - '1003' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:53 GMT + - Thu, 06 Feb 2020 00:14:57 GMT expires: - '-1' pragma: @@ -20021,7 +20863,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20038,7 +20880,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:55 GMT + - Thu, 06 Feb 2020 00:14:58 GMT expires: - '-1' pragma: @@ -20065,7 +20907,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20080,17 +20922,17 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"host":{"type":"String","metadata":{"displayName":"Remote - Host Name","description":"Specifies the Domain Name System (DNS) name or IP - address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"Port","description":"The - TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"Should - connect to remote host","description":"Must be ''True'' or ''False''. ''True'' - indicates that the virtual machine should be able to establish a connection - with the remote host specified, so the machine will be non-compliant if it - cannot establish a connection. ''False'' indicates that the virtual machine - should not be able to establish a connection with the remote host specified, - so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"host":{"type":"String","metadata":{"displayName":"[Preview]: + Remote Host Name","description":"Specifies the Domain Name System (DNS) name + or IP address of the remote host machine."}},"port":{"type":"String","metadata":{"displayName":"[Preview]: + Port","description":"The TCP port number on the remote host name."}},"shouldConnect":{"type":"String","metadata":{"displayName":"[Preview]: + Should connect to remote host","description":"Must be ''True'' or ''False''. + ''True'' indicates that the virtual machine should be able to establish a + connection with the remote host specified, so the machine will be non-compliant + if it cannot establish a connection. ''False'' indicates that the virtual + machine should not be able to establish a connection with the remote host + specified, so the machine will be non-compliant if it can establish a connection."},"allowedValues":["True","False"],"defaultValue":"False"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsRemoteConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsRemoteConnection]WindowsRemoteConnection1;host'', ''='', parameters(''host''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;port'', ''='', parameters(''port''), '','', ''[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect'', ''='', parameters(''shouldConnect'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsRemoteConnection"},"host":{"value":"[parameters(''host'')]"},"port":{"value":"[parameters(''port'')]"},"shouldConnect":{"value":"[parameters(''shouldConnect'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"host":{"type":"string"},"port":{"type":"string"},"shouldConnect":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), @@ -20105,11 +20947,11 @@ interactions: cache-control: - no-cache content-length: - - '7489' + - '7956' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:56 GMT + - Thu, 06 Feb 2020 00:14:58 GMT expires: - '-1' pragma: @@ -20140,7 +20982,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20157,7 +20999,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:56 GMT + - Thu, 06 Feb 2020 00:14:59 GMT expires: - '-1' pragma: @@ -20184,7 +21026,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20197,17 +21039,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Security''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkSecurity","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8","type":"Microsoft.Authorization/policyDefinitions","name":"5c028d2a-1889-45f6-b821-31f42711ced8"}' headers: cache-control: - no-cache content-length: - - '2670' + - '3254' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:57 GMT + - Thu, 06 Feb 2020 00:15:00 GMT expires: - '-1' pragma: @@ -20238,7 +21080,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20255,7 +21097,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:06:59 GMT + - Thu, 06 Feb 2020 00:15:01 GMT expires: - '-1' pragma: @@ -20282,7 +21124,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20293,7 +21135,7 @@ interactions: Deployment in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example @@ -20302,11 +21144,11 @@ interactions: cache-control: - no-cache content-length: - - '5958' + - '5984' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:00 GMT + - Thu, 06 Feb 2020 00:15:01 GMT expires: - '-1' pragma: @@ -20337,7 +21179,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20354,7 +21196,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:01 GMT + - Thu, 06 Feb 2020 00:15:01 GMT expires: - '-1' pragma: @@ -20381,7 +21223,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20391,17 +21233,18 @@ interactions: string: '{"properties":{"displayName":"External accounts with write permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with write privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4","type":"Microsoft.Authorization/policyDefinitions","name":"5c607a2e-c700-4744-8254-d77e7c9eb5e4"}' headers: cache-control: - no-cache content-length: - - '1096' + - '1114' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:02 GMT + - Thu, 06 Feb 2020 00:15:01 GMT expires: - '-1' pragma: @@ -20432,7 +21275,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20449,7 +21292,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:03 GMT + - Thu, 06 Feb 2020 00:15:03 GMT expires: - '-1' pragma: @@ -20476,7 +21319,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20486,18 +21329,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"}' + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForFunctionApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55","type":"Microsoft.Authorization/policyDefinitions","name":"5df82f4f-773a-4a2d-97a2-422a806f1a55"}' headers: cache-control: - no-cache content-length: - - '1230' + - '1273' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:05 GMT + - Thu, 06 Feb 2020 00:15:03 GMT expires: - '-1' pragma: @@ -20528,7 +21371,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20545,7 +21388,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:06 GMT + - Thu, 06 Feb 2020 00:15:04 GMT expires: - '-1' pragma: @@ -20572,7 +21415,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20582,18 +21425,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported .NET Framework version for the latest security classes. - Using older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"}' + Using older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestDotNet","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2","type":"Microsoft.Authorization/policyDefinitions","name":"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"}' headers: cache-control: - no-cache content-length: - - '1299' + - '1327' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:07 GMT + - Thu, 06 Feb 2020 00:15:04 GMT expires: - '-1' pragma: @@ -20624,7 +21467,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20641,7 +21484,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:11 GMT + - Thu, 06 Feb 2020 00:15:05 GMT expires: - '-1' pragma: @@ -20668,7 +21511,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20681,16 +21524,16 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"}' + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WhitelistedApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9","type":"Microsoft.Authorization/policyDefinitions","name":"5e393799-e3ca-4e43-a9a5-0ec4648a57d9"}' headers: cache-control: - no-cache content-length: - - '2747' + - '3158' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:12 GMT + - Thu, 06 Feb 2020 00:15:05 GMT expires: - '-1' pragma: @@ -20721,7 +21564,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20738,7 +21581,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:14 GMT + - Thu, 06 Feb 2020 00:15:06 GMT expires: - '-1' pragma: @@ -20765,7 +21608,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20775,16 +21618,16 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation only in India data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: West India, South India, - Central India","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"}' + Central India","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["westindia","southindia","centralindia"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54","type":"Microsoft.Authorization/policyDefinitions","name":"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"}' headers: cache-control: - no-cache content-length: - - '633' + - '662' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:14 GMT + - Thu, 06 Feb 2020 00:15:06 GMT expires: - '-1' pragma: @@ -20815,7 +21658,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20832,7 +21675,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:16 GMT + - Thu, 06 Feb 2020 00:15:07 GMT expires: - '-1' pragma: @@ -20859,7 +21702,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20871,7 +21714,7 @@ interactions: Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant ''Log Analytics Contributor'' permissions (or similar) to the @@ -20886,11 +21729,11 @@ interactions: cache-control: - no-cache content-length: - - '5198' + - '5224' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:17 GMT + - Thu, 06 Feb 2020 00:15:07 GMT expires: - '-1' pragma: @@ -20900,7 +21743,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -20921,7 +21764,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20938,7 +21781,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:18 GMT + - Thu, 06 Feb 2020 00:15:04 GMT expires: - '-1' pragma: @@ -20965,7 +21808,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -20975,17 +21818,18 @@ interactions: string: '{"properties":{"displayName":"External accounts with read permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with read privileges should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60","type":"Microsoft.Authorization/policyDefinitions","name":"5f76cf89-fbf2-47fd-a3f4-b891fa780b60"}' headers: cache-control: - no-cache content-length: - - '1093' + - '1111' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:19 GMT + - Thu, 06 Feb 2020 00:15:04 GMT expires: - '-1' pragma: @@ -21016,7 +21860,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21033,7 +21877,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:20 GMT + - Thu, 06 Feb 2020 00:15:09 GMT expires: - '-1' pragma: @@ -21060,7 +21904,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21070,7 +21914,7 @@ interactions: string: '{"properties":{"displayName":"Add or replace a tag on resources","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does - not modify tags on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + not modify tags on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -21079,11 +21923,11 @@ interactions: cache-control: - no-cache content-length: - - '1207' + - '1225' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:21 GMT + - Thu, 06 Feb 2020 00:15:09 GMT expires: - '-1' pragma: @@ -21114,7 +21958,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21131,7 +21975,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:23 GMT + - Thu, 06 Feb 2020 00:15:09 GMT expires: - '-1' pragma: @@ -21158,7 +22002,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21171,17 +22015,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b","type":"Microsoft.Authorization/policyDefinitions","name":"60aeaf73-a074-417a-905f-7ce9df0ff77b"}' headers: cache-control: - no-cache content-length: - - '2675' + - '3259' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:24 GMT + - Thu, 06 Feb 2020 00:15:10 GMT expires: - '-1' pragma: @@ -21191,7 +22035,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -21212,7 +22056,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21229,7 +22073,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:25 GMT + - Thu, 06 Feb 2020 00:15:10 GMT expires: - '-1' pragma: @@ -21256,7 +22100,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21266,17 +22110,17 @@ interactions: string: '{"properties":{"displayName":"Storage Accounts should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Storage Account not configured to use a virtual network - service endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + service endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"anyOf":[{"field":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4","type":"Microsoft.Authorization/policyDefinitions","name":"60d21c4f-21a3-4d94-85f4-b924e6aeeda4"}' headers: cache-control: - no-cache content-length: - - '1017' + - '1035' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:26 GMT + - Thu, 06 Feb 2020 00:15:11 GMT expires: - '-1' pragma: @@ -21286,7 +22130,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -21307,7 +22151,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21324,7 +22168,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:27 GMT + - Thu, 06 Feb 2020 00:15:11 GMT expires: - '-1' pragma: @@ -21351,7 +22195,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21364,16 +22208,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"}' + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c","type":"Microsoft.Authorization/policyDefinitions","name":"60ffe3e2-4604-4460-8f22-0f1da058266c"}' headers: cache-control: - no-cache content-length: - - '2760' + - '3171' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:29 GMT + - Thu, 06 Feb 2020 00:15:11 GMT expires: - '-1' pragma: @@ -21383,7 +22228,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -21404,7 +22249,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21421,7 +22266,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:30 GMT + - Thu, 06 Feb 2020 00:15:12 GMT expires: - '-1' pragma: @@ -21448,7 +22293,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21460,7 +22305,7 @@ interactions: enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan - results, with a ''sqlva'' prefix.","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), + results, with a ''sqlva'' prefix.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/securityAlertPolicies.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3","/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"},"location":{"type":"string"}},"variables":{"serverResourceGroupName":"[resourceGroup().name]","subscriptionId":"[subscription().subscriptionId]","uniqueStorage":"[uniqueString(variables(''subscriptionId''), variables(''serverResourceGroupName''), parameters(''location''))]","storageName":"[tolower(concat(''sqlva'', variables(''uniqueStorage'')))]"},"resources":[{"type":"Microsoft.Storage/storageAccounts","name":"[variables(''storageName'')]","apiVersion":"2019-04-01","location":"[parameters(''location'')]","sku":{"name":"Standard_LRS"},"kind":"StorageV2","properties":{}},{"name":"[concat(parameters(''serverName''), ''/Default'')]","type":"Microsoft.Sql/servers/securityAlertPolicies","apiVersion":"2017-03-01-preview","properties":{"state":"Enabled","emailAccountAdmins":true}},{"name":"[concat(parameters(''serverName''), @@ -21473,11 +22318,11 @@ interactions: cache-control: - no-cache content-length: - - '2974' + - '2992' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:31 GMT + - Thu, 06 Feb 2020 00:15:12 GMT expires: - '-1' pragma: @@ -21487,7 +22332,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -21508,7 +22353,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21525,7 +22370,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:33 GMT + - Thu, 06 Feb 2020 00:15:13 GMT expires: - '-1' pragma: @@ -21552,17 +22397,19 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Configure time zone on Windows machines.","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to set specified time zone - on Windows virtual machines.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + string: '{"properties":{"displayName":"[Preview]: Configure time zone on Windows + machines.","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to set specified time zone on Windows + virtual machines.","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Time zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) @@ -21613,7 +22460,7 @@ interactions: Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"SetWindowsTimeZone","existenceCondition":{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', ''='', parameters(''TimeZone'')))]"},{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"SetWindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","assignmentType":"DeployAndAutoCorrect","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -21623,11 +22470,11 @@ interactions: cache-control: - no-cache content-length: - - '8972' + - '9428' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:34 GMT + - Thu, 06 Feb 2020 00:15:13 GMT expires: - '-1' pragma: @@ -21658,7 +22505,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21675,7 +22522,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:35 GMT + - Thu, 06 Feb 2020 00:15:11 GMT expires: - '-1' pragma: @@ -21702,7 +22549,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21714,17 +22561,17 @@ interactions: Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and - digitally signed","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + digitally signed","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].name","notEquals":"Security"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name","notEquals":"ClusterProtectionLevel"},{"field":"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value","notEquals":"EncryptAndSign"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68","type":"Microsoft.Authorization/policyDefinitions","name":"617c02be-7f02-4efd-8836-3180d47b6c68"}' headers: cache-control: - no-cache content-length: - - '1339' + - '1357' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:36 GMT + - Thu, 06 Feb 2020 00:15:11 GMT expires: - '-1' pragma: @@ -21734,7 +22581,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -21755,7 +22602,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21772,7 +22619,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:38 GMT + - Thu, 06 Feb 2020 00:15:15 GMT expires: - '-1' pragma: @@ -21799,7 +22646,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21812,17 +22659,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System objects''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"}' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemobjects","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636","type":"Microsoft.Authorization/policyDefinitions","name":"620e58b5-ac75-49b4-993f-a9d4f0459636"}' headers: cache-control: - no-cache content-length: - - '2664' + - '3248' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:39 GMT + - Thu, 06 Feb 2020 00:15:15 GMT expires: - '-1' pragma: @@ -21853,7 +22700,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21870,7 +22717,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:40 GMT + - Thu, 06 Feb 2020 00:15:16 GMT expires: - '-1' pragma: @@ -21897,39 +22744,45 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Devices''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Devices''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"Devices: - Allowed to format and eject removable media","description":"Specifies who - is allowed to format and eject removable NTFS media. You can use this policy - setting to prevent unauthorized users from removing data on one computer to - access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: - Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"String","metadata":{"displayName":"[Preview]: + Devices: Allowed to format and eject removable media","description":"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsDevices","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Devices: + Allowed to format and eject removable media;ExpectedValue'', ''='', parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsDevices"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"DevicesAllowedToFormatAndEjectRemovableMedia":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: - Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Devices: + Allowed to format and eject removable media;ExpectedValue","value":"[parameters(''DevicesAllowedToFormatAndEjectRemovableMedia'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897","type":"Microsoft.Authorization/policyDefinitions","name":"6481cc21-ed6e-4480-99dd-ea7c5222e897"}' headers: cache-control: - no-cache content-length: - - '5429' + - '7004' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:41 GMT + - Thu, 06 Feb 2020 00:15:16 GMT expires: - '-1' pragma: @@ -21960,7 +22813,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -21977,7 +22830,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:43 GMT + - Thu, 06 Feb 2020 00:15:17 GMT expires: - '-1' pragma: @@ -22004,7 +22857,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22014,17 +22867,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit missing blob encryption for storage accounts","policyType":"BuiltIn","mode":"All","description":"This policy is no longer necessary because storage blob encryption is enabled by - default and cannot be turned off.","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"}' + default and cannot be turned off.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"True"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759","type":"Microsoft.Authorization/policyDefinitions","name":"655cb504-bcee-4362-bd4c-402e6aa38759"}' headers: cache-control: - no-cache content-length: - - '946' + - '989' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:44 GMT + - Thu, 06 Feb 2020 00:15:17 GMT expires: - '-1' pragma: @@ -22034,7 +22888,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -22055,7 +22909,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22072,7 +22926,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:45 GMT + - Thu, 06 Feb 2020 00:15:17 GMT expires: - '-1' pragma: @@ -22099,7 +22953,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22110,17 +22964,17 @@ interactions: for a Function App","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"}' + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90","type":"Microsoft.Authorization/policyDefinitions","name":"664346d9-be92-43fb-a219-d595eeb76a90"}' headers: cache-control: - no-cache content-length: - - '1292' + - '1320' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:46 GMT + - Thu, 06 Feb 2020 00:15:17 GMT expires: - '-1' pragma: @@ -22151,7 +23005,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22168,7 +23022,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:47 GMT + - Thu, 06 Feb 2020 00:15:18 GMT expires: - '-1' pragma: @@ -22195,7 +23049,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22209,10 +23063,10 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"Connected - workspace IDs","description":"A semicolon-separated list of the workspace - IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WorkspaceId":{"type":"String","metadata":{"displayName":"[Preview]: + Connected workspace IDs","description":"A semicolon-separated list of the + workspace IDs that the Log Analytics agent should be connected to"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId'', ''='', parameters(''WorkspaceId'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsLogAnalyticsAgentConnection"},"WorkspaceId":{"value":"[parameters(''WorkspaceId'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WorkspaceId":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId","value":"[parameters(''WorkspaceId'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -22225,11 +23079,11 @@ interactions: cache-control: - no-cache content-length: - - '6087' + - '6532' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:48 GMT + - Thu, 06 Feb 2020 00:15:18 GMT expires: - '-1' pragma: @@ -22239,7 +23093,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -22260,7 +23114,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22277,7 +23131,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:50 GMT + - Thu, 06 Feb 2020 00:15:19 GMT expires: - '-1' pragma: @@ -22304,7 +23158,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22318,13 +23172,14 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"State - in which to show VMs on which Windows Defender Exploit Guard is not available","description":"Windows - Defender Exploit Guard is only available starting with Windows 10/Windows - Server with update 1709. Setting this value to ''Non-Compliant'' will make - machines with older versions on which Windows Defender Exploit Guard is not - available (such as Windows Server 2012 R2) non-compliant. Setting this value - to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NotAvailableMachineState":{"type":"String","metadata":{"displayName":"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available","description":"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to ''Non-Compliant'' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to ''Compliant'' will make these machines compliant."},"allowedValues":["Compliant","Non-Compliant"],"defaultValue":"Non-Compliant"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDefenderExploitGuard","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState'', ''='', parameters(''NotAvailableMachineState'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDefenderExploitGuard"},"NotAvailableMachineState":{"value":"[parameters(''NotAvailableMachineState'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NotAvailableMachineState":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState","value":"[parameters(''NotAvailableMachineState'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -22337,11 +23192,11 @@ interactions: cache-control: - no-cache content-length: - - '6629' + - '7074' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:51 GMT + - Thu, 06 Feb 2020 00:15:19 GMT expires: - '-1' pragma: @@ -22372,7 +23227,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22389,7 +23244,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:52 GMT + - Thu, 06 Feb 2020 00:15:21 GMT expires: - '-1' pragma: @@ -22416,7 +23271,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22427,17 +23282,17 @@ interactions: for a Web Application","policyType":"BuiltIn","mode":"All","description":"IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common - attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"}' + attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ConfigureIPRestrictions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe","type":"Microsoft.Authorization/policyDefinitions","name":"6a8450e2-6c61-43b4-be65-62e3a197bffe"}' headers: cache-control: - no-cache content-length: - - '1309' + - '1337' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:53 GMT + - Thu, 06 Feb 2020 00:15:21 GMT expires: - '-1' pragma: @@ -22468,7 +23323,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22485,7 +23340,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:55 GMT + - Thu, 06 Feb 2020 00:15:21 GMT expires: - '-1' pragma: @@ -22512,7 +23367,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22525,18 +23380,18 @@ interactions: instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, - which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"category":"App - Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"}' + which is the recommended TLS level by industry standards, such as PCI DSS.","metadata":{"version":"1.0.0-deprecated","category":"App + Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7","type":"Microsoft.Authorization/policyDefinitions","name":"6ad61431-88ce-4357-a0e1-6da43f292bd7"}' headers: cache-control: - no-cache content-length: - - '1353' + - '1396' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:55 GMT + - Thu, 06 Feb 2020 00:15:21 GMT expires: - '-1' pragma: @@ -22567,7 +23422,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22584,7 +23439,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:57 GMT + - Thu, 06 Feb 2020 00:15:23 GMT expires: - '-1' pragma: @@ -22611,7 +23466,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22621,18 +23476,18 @@ interactions: string: '{"properties":{"displayName":"Deprecated accounts should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts should be removed from your subscriptions. Deprecated accounts are - accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccounts","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474","type":"Microsoft.Authorization/policyDefinitions","name":"6b1cbf55-e8b6-442f-ba4c-7246b6381474"}' headers: cache-control: - no-cache content-length: - - '1073' + - '1091' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:07:58 GMT + - Thu, 06 Feb 2020 00:15:23 GMT expires: - '-1' pragma: @@ -22663,7 +23518,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22680,7 +23535,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:00 GMT + - Thu, 06 Feb 2020 00:15:23 GMT expires: - '-1' pragma: @@ -22707,7 +23562,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22718,7 +23573,7 @@ interactions: Bus to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -22735,11 +23590,11 @@ interactions: cache-control: - no-cache content-length: - - '3736' + - '3754' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:01 GMT + - Thu, 06 Feb 2020 00:15:23 GMT expires: - '-1' pragma: @@ -22749,7 +23604,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -22770,7 +23625,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22787,7 +23642,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:03 GMT + - Thu, 06 Feb 2020 00:15:24 GMT expires: - '-1' pragma: @@ -22814,7 +23669,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22823,18 +23678,18 @@ interactions: body: string: '{"properties":{"displayName":"Not allowed resource types","policyType":"BuiltIn","mode":"All","description":"This policy enables you to specify the resource types that your organization cannot - deploy.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The + deploy.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesNotAllowed":{"type":"Array","metadata":{"description":"The list of resource types that cannot be deployed.","displayName":"Not allowed resource types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypesNotAllowed'')]"},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749","type":"Microsoft.Authorization/policyDefinitions","name":"6c112d4e-5bc7-47ae-a041-ea2d9dccd749"}' headers: cache-control: - no-cache content-length: - - '763' + - '781' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:04 GMT + - Thu, 06 Feb 2020 00:15:24 GMT expires: - '-1' pragma: @@ -22844,7 +23699,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -22865,7 +23720,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22882,7 +23737,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:05 GMT + - Thu, 06 Feb 2020 00:15:25 GMT expires: - '-1' pragma: @@ -22909,7 +23764,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22919,17 +23774,18 @@ interactions: string: '{"properties":{"displayName":"Function App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS ensures server/service authentication and protects data in transit from - network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","type":"Microsoft.Authorization/policyDefinitions","name":"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"}' headers: cache-control: - no-cache content-length: - - '913' + - '931' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:06 GMT + - Thu, 06 Feb 2020 00:15:26 GMT expires: - '-1' pragma: @@ -22939,7 +23795,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -22960,7 +23816,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -22977,7 +23833,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:08 GMT + - Thu, 06 Feb 2020 00:15:26 GMT expires: - '-1' pragma: @@ -23004,7 +23860,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23015,18 +23871,18 @@ interactions: alerts should be enabled","policyType":"BuiltIn","mode":"All","description":"Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are - aware of any potential security issues and are able to mitigate the risks","metadata":{"category":"Security + aware of any potential security issues and are able to mitigate the risks","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/alertNotifications","notEquals":"Off"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899","type":"Microsoft.Authorization/policyDefinitions","name":"6e2593d9-add6-4083-9c9b-4b7d2188c899"}' headers: cache-control: - no-cache content-length: - - '1130' + - '1148' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:09 GMT + - Thu, 06 Feb 2020 00:15:27 GMT expires: - '-1' pragma: @@ -23036,7 +23892,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23057,7 +23913,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23074,7 +23930,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:10 GMT + - Thu, 06 Feb 2020 00:15:27 GMT expires: - '-1' pragma: @@ -23101,7 +23957,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23110,16 +23966,16 @@ interactions: body: string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation only in Japan data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"}' + resource creation in the following locations only: Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4","type":"Microsoft.Authorization/policyDefinitions","name":"6fdb9205-3462-4cfc-87d8-16c7860b53f4"}' headers: cache-control: - no-cache content-length: - - '601' + - '630' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:11 GMT + - Thu, 06 Feb 2020 00:15:27 GMT expires: - '-1' pragma: @@ -23129,7 +23985,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23150,7 +24006,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23167,7 +24023,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:13 GMT + - Thu, 06 Feb 2020 00:15:28 GMT expires: - '-1' pragma: @@ -23194,7 +24050,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23207,17 +24063,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce","type":"Microsoft.Authorization/policyDefinitions","name":"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"}' headers: cache-control: - no-cache content-length: - - '2693' + - '3277' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:14 GMT + - Thu, 06 Feb 2020 00:15:29 GMT expires: - '-1' pragma: @@ -23248,7 +24104,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23265,7 +24121,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:15 GMT + - Thu, 06 Feb 2020 00:15:29 GMT expires: - '-1' pragma: @@ -23292,7 +24148,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23304,7 +24160,7 @@ interactions: newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -23316,11 +24172,11 @@ interactions: cache-control: - no-cache content-length: - - '2110' + - '2128' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:16 GMT + - Thu, 06 Feb 2020 00:15:29 GMT expires: - '-1' pragma: @@ -23351,7 +24207,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23368,7 +24224,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:18 GMT + - Thu, 06 Feb 2020 00:15:30 GMT expires: - '-1' pragma: @@ -23395,78 +24251,80 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Windows Components''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"Send - file samples when further analysis is required","description":"Specifies whether - and how Windows Defender will submit samples of suspected malware to Microsoft - for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"Allow - indexing of encrypted files","description":"Specifies whether encrypted items - are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"Allow - Telemetry","description":"Specifies configuration of the amount of diagnostic + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"String","metadata":{"displayName":"[Preview]: + Send file samples when further analysis is required","description":"Specifies + whether and how Windows Defender will submit samples of suspected malware to + Microsoft for further analysis when opt-in for MAPS telemetry is set."},"defaultValue":"1"},"AllowIndexingOfEncryptedFiles":{"type":"String","metadata":{"displayName":"[Preview]: + Allow indexing of encrypted files","description":"Specifies whether encrypted + items are allowed to be indexed."},"defaultValue":"0"},"AllowTelemetry":{"type":"String","metadata":{"displayName":"[Preview]: + Allow Telemetry","description":"Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and - sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"Allow - unencrypted traffic","description":"Specifies whether the Windows Remote Management - (WinRM) service sends and receives unencrypted messages over the network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"Always - install with elevated privileges","description":"Specifies whether Windows - Installer should use system permissions when it installs any program on the - system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"Always - prompt for password upon connection","description":"Specifies whether Terminal - Services/Remote Desktop Connection always prompts the client computer for - a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Application: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"Automatically - send memory dumps for OS-generated error reports","description":"Specifies + sensitive data is not sent."},"defaultValue":"2"},"AllowUnencryptedTraffic":{"type":"String","metadata":{"displayName":"[Preview]: + Allow unencrypted traffic","description":"Specifies whether the Windows Remote + Management (WinRM) service sends and receives unencrypted messages over the + network."},"defaultValue":"0"},"AlwaysInstallWithElevatedPrivileges":{"type":"String","metadata":{"displayName":"[Preview]: + Always install with elevated privileges","description":"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system."},"defaultValue":"0"},"AlwaysPromptForPasswordUponConnection":{"type":"String","metadata":{"displayName":"[Preview]: + Always prompt for password upon connection","description":"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection."},"defaultValue":"1"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Application: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Application event log in kilobytes."},"defaultValue":"32768"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"String","metadata":{"displayName":"[Preview]: + Automatically send memory dumps for OS-generated error reports","description":"Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft - automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"Configure - Default consent","description":"Specifies setting of the default consent handling - for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"Configure - Windows SmartScreen","description":"Specifies how to manage the behavior of - Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users - before running unrecognized programs downloaded from the Internet. Some information - is sent to Microsoft about files and programs run on PCs with this feature - enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"Disallow - Digest authentication","description":"Specifies whether the Windows Remote - Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"Disallow - WinRM from storing RunAs credentials","description":"Specifies whether the - Windows Remote Management (WinRM) service will not allow RunAs credentials - to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"Do - not allow passwords to be saved","description":"Specifies whether to prevent + automatically."},"defaultValue":"1"},"ConfigureDefaultConsent":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Default consent","description":"Specifies setting of the default + consent handling for error reports sent to Microsoft."},"defaultValue":"4"},"ConfigureWindowsSmartScreen":{"type":"String","metadata":{"displayName":"[Preview]: + Configure Windows SmartScreen","description":"Specifies how to manage the + behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled."},"defaultValue":"1"},"DisallowDigestAuthentication":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow Digest authentication","description":"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication."},"defaultValue":"0"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"String","metadata":{"displayName":"[Preview]: + Disallow WinRM from storing RunAs credentials","description":"Specifies whether + the Windows Remote Management (WinRM) service will not allow RunAs credentials + to be stored for any plug-ins."},"defaultValue":"1"},"DoNotAllowPasswordsToBeSaved":{"type":"String","metadata":{"displayName":"[Preview]: + Do not allow passwords to be saved","description":"Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords - on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Security: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"Set - client connection encryption level","description":"Specifies whether to require - the use of a specific encryption level to secure communications between client - computers and RD Session Host servers during Remote Desktop Protocol (RDP) - connections. This policy only applies when you are using native RDP encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"Set - the default behavior for AutoRun","description":"Specifies the default behavior - for Autorun commands. Autorun commands are generally stored in autorun.inf - files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"Setup: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"System: - Specify the maximum log file size (KB)","description":"Specifies the maximum - size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"Turn - off Data Execution Prevention for Explorer","description":"Specifies whether - to turn off Data Execution Prevention for Windows File Explorer. Disabling + on a computer."},"defaultValue":"1"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Security: Specify the maximum log file size (KB)","description":"Specifies + the maximum size for the Security event log in kilobytes."},"defaultValue":"196608"},"SetClientConnectionEncryptionLevel":{"type":"String","metadata":{"displayName":"[Preview]: + Set client connection encryption level","description":"Specifies whether to + require the use of a specific encryption level to secure communications between + client computers and RD Session Host servers during Remote Desktop Protocol + (RDP) connections. This policy only applies when you are using native RDP + encryption."},"defaultValue":"3"},"SetTheDefaultBehaviorForAutoRun":{"type":"String","metadata":{"displayName":"[Preview]: + Set the default behavior for AutoRun","description":"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines."},"defaultValue":"1"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + Setup: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the Setup event log in kilobytes."},"defaultValue":"32768"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"String","metadata":{"displayName":"[Preview]: + System: Specify the maximum log file size (KB)","description":"Specifies the + maximum size for the System event log in kilobytes."},"defaultValue":"32768"},"TurnOffDataExecutionPreventionForExplorer":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off Data Execution Prevention for Explorer","description":"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to - function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"Specify - the interval to check for definition updates","description":"Specifies an - interval at which to check for Windows Defender definition updates. The time - value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send + function without terminating Explorer."},"defaultValue":"0"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"String","metadata":{"displayName":"[Preview]: + Specify the interval to check for definition updates","description":"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks."},"defaultValue":"8"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Send file samples when further analysis is required;ExpectedValue'', ''='', parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired''), '','', ''Allow indexing of encrypted files;ExpectedValue'', ''='', parameters(''AllowIndexingOfEncryptedFiles''), '','', ''Allow Telemetry;ExpectedValue'', ''='', parameters(''AllowTelemetry''), @@ -23492,7 +24350,8 @@ interactions: the maximum log file size (KB);ExpectedValue'', ''='', parameters(''SystemSpecifyTheMaximumLogFileSizeKB''), '','', ''Turn off Data Execution Prevention for Explorer;ExpectedValue'', ''='', parameters(''TurnOffDataExecutionPreventionForExplorer''), '','', ''Specify - the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue'', ''='', parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsComponents"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},"AllowIndexingOfEncryptedFiles":{"value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},"AllowTelemetry":{"value":"[parameters(''AllowTelemetry'')]"},"AllowUnencryptedTraffic":{"value":"[parameters(''AllowUnencryptedTraffic'')]"},"AlwaysInstallWithElevatedPrivileges":{"value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},"AlwaysPromptForPasswordUponConnection":{"value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},"ConfigureDefaultConsent":{"value":"[parameters(''ConfigureDefaultConsent'')]"},"ConfigureWindowsSmartScreen":{"value":"[parameters(''ConfigureWindowsSmartScreen'')]"},"DisallowDigestAuthentication":{"value":"[parameters(''DisallowDigestAuthentication'')]"},"DisallowWinRMFromStoringRunAsCredentials":{"value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},"DoNotAllowPasswordsToBeSaved":{"value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},"SetClientConnectionEncryptionLevel":{"value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},"SetTheDefaultBehaviorForAutoRun":{"value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},"SetupSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},"SystemSpecifyTheMaximumLogFileSizeKB":{"value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},"TurnOffDataExecutionPreventionForExplorer":{"value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"SendFileSamplesWhenFurtherAnalysisIsRequired":{"type":"string"},"AllowIndexingOfEncryptedFiles":{"type":"string"},"AllowTelemetry":{"type":"string"},"AllowUnencryptedTraffic":{"type":"string"},"AlwaysInstallWithElevatedPrivileges":{"type":"string"},"AlwaysPromptForPasswordUponConnection":{"type":"string"},"ApplicationSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports":{"type":"string"},"ConfigureDefaultConsent":{"type":"string"},"ConfigureWindowsSmartScreen":{"type":"string"},"DisallowDigestAuthentication":{"type":"string"},"DisallowWinRMFromStoringRunAsCredentials":{"type":"string"},"DoNotAllowPasswordsToBeSaved":{"type":"string"},"SecuritySpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SetClientConnectionEncryptionLevel":{"type":"string"},"SetTheDefaultBehaviorForAutoRun":{"type":"string"},"SetupSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"SystemSpecifyTheMaximumLogFileSizeKB":{"type":"string"},"TurnOffDataExecutionPreventionForExplorer":{"type":"string"},"SpecifyTheIntervalToCheckForDefinitionUpdates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow @@ -23513,17 +24372,41 @@ interactions: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify - the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Send + file samples when further analysis is required;ExpectedValue","value":"[parameters(''SendFileSamplesWhenFurtherAnalysisIsRequired'')]"},{"name":"Allow + indexing of encrypted files;ExpectedValue","value":"[parameters(''AllowIndexingOfEncryptedFiles'')]"},{"name":"Allow + Telemetry;ExpectedValue","value":"[parameters(''AllowTelemetry'')]"},{"name":"Allow + unencrypted traffic;ExpectedValue","value":"[parameters(''AllowUnencryptedTraffic'')]"},{"name":"Always + install with elevated privileges;ExpectedValue","value":"[parameters(''AlwaysInstallWithElevatedPrivileges'')]"},{"name":"Always + prompt for password upon connection;ExpectedValue","value":"[parameters(''AlwaysPromptForPasswordUponConnection'')]"},{"name":"Application: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''ApplicationSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Automatically + send memory dumps for OS-generated error reports;ExpectedValue","value":"[parameters(''AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'')]"},{"name":"Configure + Default consent;ExpectedValue","value":"[parameters(''ConfigureDefaultConsent'')]"},{"name":"Configure + Windows SmartScreen;ExpectedValue","value":"[parameters(''ConfigureWindowsSmartScreen'')]"},{"name":"Disallow + Digest authentication;ExpectedValue","value":"[parameters(''DisallowDigestAuthentication'')]"},{"name":"Disallow + WinRM from storing RunAs credentials;ExpectedValue","value":"[parameters(''DisallowWinRMFromStoringRunAsCredentials'')]"},{"name":"Do + not allow passwords to be saved;ExpectedValue","value":"[parameters(''DoNotAllowPasswordsToBeSaved'')]"},{"name":"Security: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SecuritySpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Set + client connection encryption level;ExpectedValue","value":"[parameters(''SetClientConnectionEncryptionLevel'')]"},{"name":"Set + the default behavior for AutoRun;ExpectedValue","value":"[parameters(''SetTheDefaultBehaviorForAutoRun'')]"},{"name":"Setup: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SetupSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"System: + Specify the maximum log file size (KB);ExpectedValue","value":"[parameters(''SystemSpecifyTheMaximumLogFileSizeKB'')]"},{"name":"Turn + off Data Execution Prevention for Explorer;ExpectedValue","value":"[parameters(''TurnOffDataExecutionPreventionForExplorer'')]"},{"name":"Specify + the interval to check for definition updates;ExpectedValue","value":"[parameters(''SpecifyTheIntervalToCheckForDefinitionUpdates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24","type":"Microsoft.Authorization/policyDefinitions","name":"7040a231-fb65-4412-8c0a-b365f4866c24"}' headers: cache-control: - no-cache content-length: - - '18346' + - '22517' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:19 GMT + - Thu, 06 Feb 2020 00:15:31 GMT expires: - '-1' pragma: @@ -23533,7 +24416,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23554,7 +24437,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23571,7 +24454,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:21 GMT + - Thu, 06 Feb 2020 00:15:31 GMT expires: - '-1' pragma: @@ -23598,7 +24481,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23611,17 +24494,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"}' + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6","type":"Microsoft.Authorization/policyDefinitions","name":"7066131b-61a6-4917-a7e4-72e8983f0aa6"}' headers: cache-control: - no-cache content-length: - - '2655' + - '3239' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:22 GMT + - Thu, 06 Feb 2020 00:15:31 GMT expires: - '-1' pragma: @@ -23631,7 +24514,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23652,7 +24535,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23669,7 +24552,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:23 GMT + - Thu, 06 Feb 2020 00:15:32 GMT expires: - '-1' pragma: @@ -23696,7 +24579,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23710,16 +24593,17 @@ interactions: auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"}' + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f","type":"Microsoft.Authorization/policyDefinitions","name":"7227ebe5-9ff7-47ab-b823-171cd02fb90f"}' headers: cache-control: - no-cache content-length: - - '2829' + - '3263' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:24 GMT + - Thu, 06 Feb 2020 00:15:32 GMT expires: - '-1' pragma: @@ -23729,7 +24613,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23750,7 +24634,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23767,7 +24651,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:25 GMT + - Thu, 06 Feb 2020 00:15:33 GMT expires: - '-1' pragma: @@ -23794,7 +24678,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23807,17 +24691,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8","type":"Microsoft.Authorization/policyDefinitions","name":"7229bd6a-693d-478a-87f0-1dc1af06f3b8"}' headers: cache-control: - no-cache content-length: - - '2668' + - '3252' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:26 GMT + - Thu, 06 Feb 2020 00:15:33 GMT expires: - '-1' pragma: @@ -23827,7 +24711,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23848,7 +24732,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23865,7 +24749,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:29 GMT + - Thu, 06 Feb 2020 00:15:34 GMT expires: - '-1' pragma: @@ -23892,7 +24776,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23904,7 +24788,7 @@ interactions: newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -23916,11 +24800,11 @@ interactions: cache-control: - no-cache content-length: - - '2128' + - '2146' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:30 GMT + - Thu, 06 Feb 2020 00:15:34 GMT expires: - '-1' pragma: @@ -23930,7 +24814,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -23951,7 +24835,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -23968,7 +24852,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:32 GMT + - Thu, 06 Feb 2020 00:15:35 GMT expires: - '-1' pragma: @@ -23995,7 +24879,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24007,7 +24891,7 @@ interactions: newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', @@ -24016,11 +24900,11 @@ interactions: cache-control: - no-cache content-length: - - '1856' + - '1874' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:33 GMT + - Thu, 06 Feb 2020 00:15:35 GMT expires: - '-1' pragma: @@ -24030,7 +24914,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -24051,7 +24935,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24068,7 +24952,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:35 GMT + - Thu, 06 Feb 2020 00:15:36 GMT expires: - '-1' pragma: @@ -24095,7 +24979,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24109,7 +24993,8 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"EnforcePasswordHistory"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -24121,11 +25006,11 @@ interactions: cache-control: - no-cache content-length: - - '5244' + - '5678' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:36 GMT + - Thu, 06 Feb 2020 00:15:36 GMT expires: - '-1' pragma: @@ -24156,7 +25041,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24173,7 +25058,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:37 GMT + - Thu, 06 Feb 2020 00:15:37 GMT expires: - '-1' pragma: @@ -24200,7 +25085,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24210,7 +25095,7 @@ interactions: string: '{"properties":{"displayName":"Add a tag to resource groups","policyType":"BuiltIn","mode":"All","description":"Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation - task. If the tag exists with a different value it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task. If the tag exists with a different value it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', @@ -24219,11 +25104,11 @@ interactions: cache-control: - no-cache content-length: - - '1297' + - '1315' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:38 GMT + - Thu, 06 Feb 2020 00:15:37 GMT expires: - '-1' pragma: @@ -24254,7 +25139,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24271,7 +25156,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:40 GMT + - Thu, 06 Feb 2020 00:15:38 GMT expires: - '-1' pragma: @@ -24298,7 +25183,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24307,18 +25192,18 @@ interactions: body: string: '{"properties":{"displayName":"Allowed storage account SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of storage account SKUs that your organization - can deploy.","metadata":{"category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for storage accounts.","displayName":"Allowed SKUs","strongType":"StorageSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1","type":"Microsoft.Authorization/policyDefinitions","name":"7433c107-6db4-4ad1-b57a-a76dce0154a1"}' headers: cache-control: - no-cache content-length: - - '866' + - '884' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:41 GMT + - Thu, 06 Feb 2020 00:15:38 GMT expires: - '-1' pragma: @@ -24328,7 +25213,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -24349,7 +25234,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24366,7 +25251,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:43 GMT + - Thu, 06 Feb 2020 00:15:39 GMT expires: - '-1' pragma: @@ -24393,7 +25278,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24405,7 +25290,7 @@ interactions: newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if - any, and/or new functionalities of the latest version.","metadata":{"category":"App + any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"WindowsPythonLatestVersion":{"type":"String","metadata":{"displayName":"Windows Latest Python version","description":"Latest supported Python version for @@ -24417,11 +25302,11 @@ interactions: cache-control: - no-cache content-length: - - '2110' + - '2128' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:44 GMT + - Thu, 06 Feb 2020 00:15:39 GMT expires: - '-1' pragma: @@ -24452,7 +25337,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24469,7 +25354,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:45 GMT + - Thu, 06 Feb 2020 00:15:40 GMT expires: - '-1' pragma: @@ -24496,7 +25381,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24507,17 +25392,17 @@ interactions: logs in App Services","policyType":"BuiltIn","mode":"All","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network - is compromised","metadata":{"category":"App Service","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"}' + is compromised","metadata":{"version":"1.0.0-deprecated","category":"App Service","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites/config"},{"field":"name","equals":"web"},{"anyOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","notEquals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","notEquals":"true"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac","type":"Microsoft.Authorization/policyDefinitions","name":"752c6934-9bcc-4749-b004-655e676ae2ac"}' headers: cache-control: - no-cache content-length: - - '1209' + - '1237' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:45 GMT + - Thu, 06 Feb 2020 00:15:40 GMT expires: - '-1' pragma: @@ -24548,7 +25433,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24565,7 +25450,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:47 GMT + - Thu, 06 Feb 2020 00:15:41 GMT expires: - '-1' pragma: @@ -24592,7 +25477,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24602,18 +25487,18 @@ interactions: string: '{"properties":{"displayName":"Vulnerabilities should be remediated by a Vulnerability Assessment solution","policyType":"BuiltIn","mode":"All","description":"Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without - a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"category":"Security + a Vulnerability Assessment solution in Azure Security Center as recommendations.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"vulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c","type":"Microsoft.Authorization/policyDefinitions","name":"760a85ff-6162-42b3-8d70-698e268f648c"}' headers: cache-control: - no-cache content-length: - - '1159' + - '1177' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:48 GMT + - Thu, 06 Feb 2020 00:15:41 GMT expires: - '-1' pragma: @@ -24623,7 +25508,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -24644,7 +25529,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24661,7 +25546,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:49 GMT + - Thu, 06 Feb 2020 00:15:41 GMT expires: - '-1' pragma: @@ -24688,7 +25573,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24700,7 +25585,7 @@ interactions: Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set - by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: + by calling upgrade on them. In CLI this would be az vmss update-instances.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},{"anyOf":[{"field":"Microsoft.Compute/imageId","in":"[parameters(''listOfImageIdToInclude'')]"},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["14.04.0-LTS","14.04.1-LTS","14.04.5-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["16.04-LTS","16.04.0-LTS"]},{"field":"Microsoft.Compute/imageSKU","in":["18.04-LTS"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","in":["RHEL","RHEL-SAP-HANA"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"SUSE"},{"field":"Microsoft.Compute/imageOffer","in":["SLES","SLES-HPC","SLES-HPC-Priority","SLES-SAP","SLES-SAP-BYOS","SLES-Priority","SLES-BYOS","SLES-SAPCAL","SLES-Standard"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","in":["12-SP2","12-SP3","12-SP4"]}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","in":["CentOS","Centos-LVM","CentOS-SRIOV"]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","like":"6.*"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","like":"7*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"],"existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"DependencyAgentLinux"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Monitoring.DependencyAgent"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"DependencyAgent","vmExtensionPublisher":"Microsoft.Azure.Monitoring.DependencyAgent","vmExtensionType":"DependencyAgentLinux","vmExtensionTypeHandlerVersion":"9.7"},"resources":[{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","name":"[concat(parameters(''vmName''), ''/'', variables(''vmExtensionName''))]","apiVersion":"2018-06-01","location":"[parameters(''location'')]","properties":{"publisher":"[variables(''vmExtensionPublisher'')]","type":"[variables(''vmExtensionType'')]","typeHandlerVersion":"[variables(''vmExtensionTypeHandlerVersion'')]","autoUpgradeMinorVersion":true}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled @@ -24709,11 +25594,11 @@ interactions: cache-control: - no-cache content-length: - - '4223' + - '4249' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:50 GMT + - Thu, 06 Feb 2020 00:15:42 GMT expires: - '-1' pragma: @@ -24723,7 +25608,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -24744,7 +25629,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24761,7 +25646,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:52 GMT + - Thu, 06 Feb 2020 00:15:43 GMT expires: - '-1' pragma: @@ -24788,7 +25673,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24797,17 +25682,17 @@ interactions: body: string: '{"properties":{"displayName":"Audit delegation of scopes to a managing tenant","policyType":"BuiltIn","mode":"All","description":"Audit delegation - of scopes to a managing tenant via Azure Lighthouse.","metadata":{"category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + of scopes to a managing tenant via Azure Lighthouse.","metadata":{"version":"1.0.0","category":"Lighthouse"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ManagedServices/registrationAssignments"},{"value":"true","equals":"true"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818","type":"Microsoft.Authorization/policyDefinitions","name":"76bed37b-484f-430f-a009-fd7592dff818"}' headers: cache-control: - no-cache content-length: - - '819' + - '837' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:52 GMT + - Thu, 06 Feb 2020 00:15:43 GMT expires: - '-1' pragma: @@ -24817,7 +25702,7 @@ interactions: transfer-encoding: - chunked vary: - - Accept-Encoding + - Accept-Encoding,Accept-Encoding x-content-type-options: - nosniff status: @@ -24838,7 +25723,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24855,7 +25740,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:54 GMT + - Thu, 06 Feb 2020 00:15:45 GMT expires: - '-1' pragma: @@ -24882,7 +25767,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -24893,225 +25778,17 @@ interactions: profile for Activity Log","policyType":"BuiltIn","mode":"All","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage - account or to an event hub.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + account or to an event hub.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"field":"Microsoft.Insights/logProfiles/categories","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7","type":"Microsoft.Authorization/policyDefinitions","name":"7796937f-307b-4598-941c-67d3a05ebfe7"}' headers: cache-control: - no-cache content-length: - - '1057' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:08:55 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0?api-version=2019-09-01 - response: - body: - string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''7a031c68-d6ab-406e-a506-697a19c634b0'' could not be found."}}' - headers: - cache-control: - - no-cache - content-length: - - '138' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:08:56 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - status: - code: 404 - message: Not Found -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0?api-version=2019-09-01 - response: - body: - string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows Server virtual - machines on which Windows Serial Console is not enabled. It also creates a - system-assigned managed identity and deploys the VM extension for Guest Configuration. - This policy should only be used along with its corresponding audit policy - in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS - Port Number","description":"An integer indicating the COM port to be used - for the Emergency Management Services (EMS) console redirection. For more - information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS - Baud Rate","description":"An integer indicating the baud rate to be used for - the Emergency Management Services (EMS) console redirection. For more information - on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', - ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', - ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"}' - headers: - cache-control: - - no-cache - content-length: - - '6931' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:08:57 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1?api-version=2019-09-01 - response: - body: - string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''7c1b1214-f927-48bf-8882-84f0af6588b1'' could not be found."}}' - headers: - cache-control: - - no-cache - content-length: - - '138' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:08:58 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - status: - code: 404 - message: Not Found -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1?api-version=2019-09-01 - response: - body: - string: '{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale - Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable Logs so that activity trail can be recreated when - investigations are required in the event of an incident or a compromise.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.OSTCExtensions"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"}' - headers: - cache-control: - - no-cache - content-length: - - '1436' + - '1075' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:08:59 GMT + - Thu, 06 Feb 2020 00:15:45 GMT expires: - '-1' pragma: @@ -25142,7 +25819,216 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''7a031c68-d6ab-406e-a506-697a19c634b0'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:15:45 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows + Server VMs on which Windows Serial Console is not enabled","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows Server virtual + machines on which Windows Serial Console is not enabled. It also creates a + system-assigned managed identity and deploys the VM extension for Guest Configuration. + This policy should only be used along with its corresponding audit policy + in an initiative. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EMSPortNumber":{"type":"String","metadata":{"displayName":"EMS + Port Number","description":"An integer indicating the COM port to be used + for the Emergency Management Services (EMS) console redirection. For more + information on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["1","2","3","4"],"defaultValue":"1"},"EMSBaudRate":{"type":"String","metadata":{"displayName":"EMS + Baud Rate","description":"An integer indicating the baud rate to be used for + the Emergency Management Services (EMS) console redirection. For more information + on EMS settings, please visit https://aka.ms/gcpolwsc"},"allowedValues":["9600","19200","38400","57600","115200"],"defaultValue":"115200"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber'', + ''='', parameters(''EMSPortNumber''), '','', ''[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate'', + ''='', parameters(''EMSBaudRate'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsSerialConsole"},"EMSPortNumber":{"value":"[parameters(''EMSPortNumber'')]"},"EMSBaudRate":{"value":"[parameters(''EMSBaudRate'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EMSPortNumber":{"type":"string"},"EMSBaudRate":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber","value":"[parameters(''EMSPortNumber'')]"},{"name":"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate","value":"[parameters(''EMSBaudRate'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0","type":"Microsoft.Authorization/policyDefinitions","name":"7a031c68-d6ab-406e-a506-697a19c634b0"}' + headers: + cache-control: + - no-cache + content-length: + - '7342' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:15:45 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''7c1b1214-f927-48bf-8882-84f0af6588b1'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:15:46 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Diagnostic logs in Virtual Machine Scale + Sets should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"It + is recommended to enable Logs so that activity trail can be recreated when + investigations are required in the event of an incident or a compromise.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"IaaSDiagnostics"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.Azure.Diagnostics"}]},{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","equals":"LinuxDiagnostic"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","in":["Microsoft.OSTCExtensions","Microsoft.Azure.Diagnostics"]}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1","type":"Microsoft.Authorization/policyDefinitions","name":"7c1b1214-f927-48bf-8882-84f0af6588b1"}' + headers: + cache-control: + - no-cache + content-length: + - '1482' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:15:46 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25159,7 +26045,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:01 GMT + - Thu, 06 Feb 2020 00:15:47 GMT expires: - '-1' pragma: @@ -25186,7 +26072,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25198,16 +26084,16 @@ interactions: policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by - default, and can no longer be disabled.","metadata":{"category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"}' + default, and can no longer be disabled.","metadata":{"version":"1.0.0-deprecated","category":"Storage","deprecated":true},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/enableBlobEncryption","equals":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f","type":"Microsoft.Authorization/policyDefinitions","name":"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"}' headers: cache-control: - no-cache content-length: - - '881' + - '910' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:02 GMT + - Thu, 06 Feb 2020 00:15:47 GMT expires: - '-1' pragma: @@ -25238,7 +26124,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25255,7 +26141,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:03 GMT + - Thu, 06 Feb 2020 00:15:48 GMT expires: - '-1' pragma: @@ -25282,7 +26168,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25294,17 +26180,17 @@ interactions: policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"}' + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c","type":"Microsoft.Authorization/policyDefinitions","name":"7e56b49b-5990-4159-a734-511ea19b731c"}' headers: cache-control: - no-cache content-length: - - '2734' + - '3145' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:04 GMT + - Thu, 06 Feb 2020 00:15:49 GMT expires: - '-1' pragma: @@ -25335,7 +26221,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25352,7 +26238,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:05 GMT + - Thu, 06 Feb 2020 00:15:49 GMT expires: - '-1' pragma: @@ -25379,7 +26265,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25392,16 +26278,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa","type":"Microsoft.Authorization/policyDefinitions","name":"7e84ba44-6d03-46fd-950e-5efa5a1112fa"}' headers: cache-control: - no-cache content-length: - - '2769' + - '3203' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:06 GMT + - Thu, 06 Feb 2020 00:15:49 GMT expires: - '-1' pragma: @@ -25432,7 +26319,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25449,7 +26336,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:08 GMT + - Thu, 06 Feb 2020 00:15:50 GMT expires: - '-1' pragma: @@ -25476,7 +26363,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25490,8 +26377,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordMustMeetComplexityRequirements"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -25503,11 +26390,11 @@ interactions: cache-control: - no-cache content-length: - - '5296' + - '5730' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:09 GMT + - Thu, 06 Feb 2020 00:15:50 GMT expires: - '-1' pragma: @@ -25538,7 +26425,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25555,7 +26442,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:10 GMT + - Thu, 06 Feb 2020 00:15:51 GMT expires: - '-1' pragma: @@ -25582,7 +26469,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25595,17 +26482,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c","type":"Microsoft.Authorization/policyDefinitions","name":"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"}' headers: cache-control: - no-cache content-length: - - '2675' + - '3259' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:11 GMT + - Thu, 06 Feb 2020 00:15:51 GMT expires: - '-1' pragma: @@ -25636,7 +26523,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25653,7 +26540,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:12 GMT + - Thu, 06 Feb 2020 00:15:52 GMT expires: - '-1' pragma: @@ -25680,7 +26567,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25688,17 +26575,17 @@ interactions: response: body: string: '{"properties":{"displayName":"Audit diagnostic setting","policyType":"BuiltIn","mode":"All","description":"Audit - diagnostic setting for selected resource types","metadata":{"category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource + diagnostic setting for selected resource types","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"listOfResourceTypes":{"type":"Array","metadata":{"displayName":"Resource Types","strongType":"resourceTypes"}}},"policyRule":{"if":{"field":"type","in":"[parameters(''listOfResourceTypes'')]"},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9","type":"Microsoft.Authorization/policyDefinitions","name":"7f89b1eb-583c-429a-8828-af049802c1d9"}' headers: cache-control: - no-cache content-length: - - '890' + - '908' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:13 GMT + - Thu, 06 Feb 2020 00:15:52 GMT expires: - '-1' pragma: @@ -25729,7 +26616,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25746,7 +26633,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:14 GMT + - Thu, 06 Feb 2020 00:15:52 GMT expires: - '-1' pragma: @@ -25773,7 +26660,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25784,17 +26671,17 @@ interactions: configured to capture critical activities","policyType":"BuiltIn","mode":"Indexed","description":"The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough - audit logging","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + audit logging","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"allOf":[{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"FAILED_DATABASE_AUTHENTICATION_GROUP"}},{"not":{"field":"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]","notEquals":"BATCH_COMPLETED_GROUP"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5","type":"Microsoft.Authorization/policyDefinitions","name":"7ff426e2-515f-405a-91c8-4f2333442eb5"}' headers: cache-control: - no-cache content-length: - - '1437' + - '1455' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:15 GMT + - Thu, 06 Feb 2020 00:15:52 GMT expires: - '-1' pragma: @@ -25825,7 +26712,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -25842,7 +26729,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:17 GMT + - Thu, 06 Feb 2020 00:15:53 GMT expires: - '-1' pragma: @@ -25869,76 +26756,76 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''User Rights Assignment''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - or groups that may access this computer from the network","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may access this computer from the network","description":"Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."},"defaultValue":"Administrators, - Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"Users - or groups that may log on locally","description":"Specifies which users or - groups can interactively log on to the computer. Users who attempt to log - on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - or groups that may log on through Remote Desktop Services","description":"Specifies + Authenticated Users"},"UsersOrGroupsThatMayLogOnLocally":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on locally","description":"Specifies which users + or groups can interactively log on to the computer. Users who attempt to log + on via Remote Desktop Connection or IIS also require this user right."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may log on through Remote Desktop Services","description":"Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."},"defaultValue":"Administrators, - Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"Users - and groups that are denied access to this computer from the network","description":"Specifies + Remote Desktop Users"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied access to this computer from the network","description":"Specifies which users or groups are explicitly prohibited from connecting to the computer - across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"Users - or groups that may manage auditing and security log","description":"Specifies + across the network."},"defaultValue":"Guests"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may manage auditing and security log","description":"Specifies users and groups permitted to change the auditing options for files and directories - and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - or groups that may back up files and directories","description":"Specifies + and clear the Security log."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may back up files and directories","description":"Specifies users and groups allowed to circumvent file and directory permissions to back - up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"Users - or groups that may change the system time","description":"Specifies which - users and groups are permitted to change the time and date on the internal - clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"Users - or groups that may change the time zone","description":"Specifies which users - and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, - LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"Users - or groups that may create a token object","description":"Specifies which users - and groups are permitted to create an access token, which may provide elevated - rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a batch job","description":"Specifies + up the system."},"defaultValue":"Administrators, Backup Operators"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the system time","description":"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer."},"defaultValue":"Administrators, LOCAL SERVICE"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may change the time zone","description":"Specifies which + users and groups are permitted to change the time zone of the computer."},"defaultValue":"Administrators, + LOCAL SERVICE"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may create a token object","description":"Specifies which + users and groups are permitted to create an access token, which may provide + elevated rights to access sensitive data."},"defaultValue":"No One"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a batch job","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"Users - and groups that are denied logging on as a service","description":"Specifies + as a batch job (i.e. scheduled task)."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied logging on as a service","description":"Specifies which service accounts are explicitly not permitted to register a process - as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"Users - and groups that are denied local logon","description":"Specifies which users - and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"Users - and groups that are denied log on through Remote Desktop Services","description":"Specifies + as a service."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied local logon","description":"Specifies which + users and groups are explicitly not permitted to log on to the computer."},"defaultValue":"Guests"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that are denied log on through Remote Desktop Services","description":"Specifies which users and groups are explicitly not permitted to log on to the computer - via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"User - and groups that may force shutdown from a remote system","description":"Specifies + via Terminal Services/Remote Desktop Client."},"defaultValue":"Guests"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"String","metadata":{"displayName":"[Preview]: + User and groups that may force shutdown from a remote system","description":"Specifies which users and groups are permitted to shut down the computer from a remote - location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"Users - and groups that may restore files and directories","description":"Specifies + location on the network."},"defaultValue":"Administrators"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may restore files and directories","description":"Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and - directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"Users - and groups that may shut down the system","description":"Specifies which users - and groups who are logged on locally to the computers in your environment - are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"Users - or groups that may take ownership of files or other objects","description":"Specifies + directories."},"defaultValue":"Administrators, Backup Operators"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Users and groups that may shut down the system","description":"Specifies which + users and groups who are logged on locally to the computers in your environment + are permitted to shut down the operating system with the Shut Down command."},"defaultValue":"Administrators"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"String","metadata":{"displayName":"[Preview]: + Users or groups that may take ownership of files or other objects","description":"Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions - that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access + that are in place to protect objects to give ownership to the specified user."},"defaultValue":"Administrators"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Access this computer from the network;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork''), '','', ''Allow log on locally;ExpectedValue'', ''='', parameters(''UsersOrGroupsThatMayLogOnLocally''), '','', ''Allow log on through Remote Desktop Services;ExpectedValue'', ''='', @@ -25958,7 +26845,8 @@ interactions: '','', ''Restore files and directories;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories''), '','', ''Shut down the system;ExpectedValue'', ''='', parameters(''UsersAndGroupsThatMayShutDownTheSystem''), '','', ''Take ownership of files or other objects;ExpectedValue'', ''='', - parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_UserRightsAssignment"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayLogOnLocally":{"value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},"UsersOrGroupsThatMayChangeTheSystemTime":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},"UsersOrGroupsThatMayChangeTheTimeZone":{"value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},"UsersOrGroupsThatMayCreateATokenObject":{"value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},"UsersAndGroupsThatAreDeniedLocalLogon":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},"UsersAndGroupsThatMayShutDownTheSystem":{"value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayLogOnLocally":{"type":"string"},"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices":{"type":"string"},"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork":{"type":"string"},"UsersOrGroupsThatMayManageAuditingAndSecurityLog":{"type":"string"},"UsersOrGroupsThatMayBackUpFilesAndDirectories":{"type":"string"},"UsersOrGroupsThatMayChangeTheSystemTime":{"type":"string"},"UsersOrGroupsThatMayChangeTheTimeZone":{"type":"string"},"UsersOrGroupsThatMayCreateATokenObject":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob":{"type":"string"},"UsersAndGroupsThatAreDeniedLoggingOnAsAService":{"type":"string"},"UsersAndGroupsThatAreDeniedLocalLogon":{"type":"string"},"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices":{"type":"string"},"UserAndGroupsThatMayForceShutdownFromARemoteSystem":{"type":"string"},"UsersAndGroupsThatMayRestoreFilesAndDirectories":{"type":"string"},"UsersAndGroupsThatMayShutDownTheSystem":{"type":"string"},"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow @@ -25976,17 +26864,38 @@ interactions: shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take - ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Access + this computer from the network;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'')]"},{"name":"Allow + log on locally;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnLocally'')]"},{"name":"Allow + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'')]"},{"name":"Deny + access to this computer from the network;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'')]"},{"name":"Manage + auditing and security log;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayManageAuditingAndSecurityLog'')]"},{"name":"Back + up files and directories;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayBackUpFilesAndDirectories'')]"},{"name":"Change + the system time;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheSystemTime'')]"},{"name":"Change + the time zone;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayChangeTheTimeZone'')]"},{"name":"Create + a token object;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayCreateATokenObject'')]"},{"name":"Deny + log on as a batch job;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'')]"},{"name":"Deny + log on as a service;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLoggingOnAsAService'')]"},{"name":"Deny + log on locally;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLocalLogon'')]"},{"name":"Deny + log on through Remote Desktop Services;ExpectedValue","value":"[parameters(''UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'')]"},{"name":"Force + shutdown from a remote system;ExpectedValue","value":"[parameters(''UserAndGroupsThatMayForceShutdownFromARemoteSystem'')]"},{"name":"Restore + files and directories;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayRestoreFilesAndDirectories'')]"},{"name":"Shut + down the system;ExpectedValue","value":"[parameters(''UsersAndGroupsThatMayShutDownTheSystem'')]"},{"name":"Take + ownership of files or other objects;ExpectedValue","value":"[parameters(''UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24","type":"Microsoft.Authorization/policyDefinitions","name":"815dcc9f-6662-43f2-9a03-1b83e9876f24"}' headers: cache-control: - no-cache content-length: - - '17711' + - '21504' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:18 GMT + - Thu, 06 Feb 2020 00:15:53 GMT expires: - '-1' pragma: @@ -26017,7 +26926,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26034,7 +26943,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:19 GMT + - Thu, 06 Feb 2020 00:15:54 GMT expires: - '-1' pragma: @@ -26061,7 +26970,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26070,17 +26979,17 @@ interactions: body: string: '{"properties":{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970","type":"Microsoft.Authorization/policyDefinitions","name":"82339799-d096-41ae-8538-b108becf0970"}' headers: cache-control: - no-cache content-length: - - '896' + - '914' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:19 GMT + - Thu, 06 Feb 2020 00:15:54 GMT expires: - '-1' pragma: @@ -26111,7 +27020,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26128,7 +27037,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:21 GMT + - Thu, 06 Feb 2020 00:15:55 GMT expires: - '-1' pragma: @@ -26155,7 +27064,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26166,19 +27075,19 @@ interactions: enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"2.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a","type":"Microsoft.Authorization/policyDefinitions","name":"83a214f7-d01a-484b-91a9-ed54470c9a6a"}' headers: cache-control: - no-cache content-length: - - '1782' + - '1896' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:22 GMT + - Thu, 06 Feb 2020 00:15:55 GMT expires: - '-1' pragma: @@ -26209,7 +27118,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26226,7 +27135,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:23 GMT + - Thu, 06 Feb 2020 00:15:56 GMT expires: - '-1' pragma: @@ -26253,7 +27162,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26265,16 +27174,16 @@ interactions: the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be - reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"}' + reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id","notLike":"*"}}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114","type":"Microsoft.Authorization/policyDefinitions","name":"83a86a26-fd1f-447c-b59d-e51f44264114"}' headers: cache-control: - no-cache content-length: - - '894' + - '912' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:24 GMT + - Thu, 06 Feb 2020 00:15:56 GMT expires: - '-1' pragma: @@ -26305,7 +27214,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26322,7 +27231,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:26 GMT + - Thu, 06 Feb 2020 00:15:57 GMT expires: - '-1' pragma: @@ -26349,7 +27258,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26361,18 +27270,18 @@ interactions: newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4","type":"Microsoft.Authorization/policyDefinitions","name":"843664e0-7563-41ee-a9cb-7522c382d2c4"}' headers: cache-control: - no-cache content-length: - - '1248' + - '1266' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:26 GMT + - Thu, 06 Feb 2020 00:15:57 GMT expires: - '-1' pragma: @@ -26403,7 +27312,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26420,7 +27329,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:29 GMT + - Thu, 06 Feb 2020 00:15:57 GMT expires: - '-1' pragma: @@ -26447,33 +27356,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Microsoft Network Server''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Server''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkServer"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e","type":"Microsoft.Authorization/policyDefinitions","name":"86880e5c-df35-43c5-95ad-7e120635775e"}' headers: cache-control: - no-cache content-length: - - '4418' + - '5806' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:29 GMT + - Thu, 06 Feb 2020 00:15:58 GMT expires: - '-1' pragma: @@ -26504,7 +27418,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26521,7 +27435,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:30 GMT + - Thu, 06 Feb 2020 00:15:58 GMT expires: - '-1' pragma: @@ -26548,7 +27462,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26556,17 +27470,17 @@ interactions: response: body: string: '{"properties":{"displayName":"Deploy SQL DB transparent data encryption","policyType":"BuiltIn","mode":"Indexed","description":"Enables - transparent data encryption on SQL databases","metadata":{"category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), + transparent data encryption on SQL databases","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Sql/servers/databases"},{"field":"name","notEquals":"master"}]},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Sql/servers/databases/transparentDataEncryption","name":"current","existenceCondition":{"field":"Microsoft.Sql/transparentDataEncryption.status","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullDbName":{"type":"string"}},"resources":[{"name":"[concat(parameters(''fullDbName''), ''/current'')]","type":"Microsoft.Sql/servers/databases/transparentDataEncryption","apiVersion":"2014-04-01","properties":{"status":"Enabled"}}]},"parameters":{"fullDbName":{"value":"[field(''fullName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f","type":"Microsoft.Authorization/policyDefinitions","name":"86a912f6-9a06-4e26-b447-11b16ba8659f"}' headers: cache-control: - no-cache content-length: - - '1385' + - '1403' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:31 GMT + - Thu, 06 Feb 2020 00:15:59 GMT expires: - '-1' pragma: @@ -26597,7 +27511,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26614,7 +27528,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:33 GMT + - Thu, 06 Feb 2020 00:15:59 GMT expires: - '-1' pragma: @@ -26641,7 +27555,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26651,17 +27565,18 @@ interactions: string: '{"properties":{"displayName":"System updates should be installed on your machines","policyType":"BuiltIn","mode":"All","description":"Missing security system updates on your servers will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"systemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60","type":"Microsoft.Authorization/policyDefinitions","name":"86b3d65f-7626-441e-b690-81a8b71cff60"}' headers: cache-control: - no-cache content-length: - - '1067' + - '1085' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:34 GMT + - Thu, 06 Feb 2020 00:16:00 GMT expires: - '-1' pragma: @@ -26692,7 +27607,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26709,7 +27624,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:35 GMT + - Thu, 06 Feb 2020 00:16:01 GMT expires: - '-1' pragma: @@ -26736,7 +27651,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26748,18 +27663,18 @@ interactions: service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3","type":"Microsoft.Authorization/policyDefinitions","name":"86d97760-d216-4d81-a3ad-163087b2b6c3"}' headers: cache-control: - no-cache content-length: - - '1245' + - '1263' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:36 GMT + - Thu, 06 Feb 2020 00:16:01 GMT expires: - '-1' pragma: @@ -26790,7 +27705,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26807,7 +27722,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:38 GMT + - Thu, 06 Feb 2020 00:16:02 GMT expires: - '-1' pragma: @@ -26834,7 +27749,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26842,18 +27757,18 @@ interactions: response: body: string: '{"properties":{"displayName":"Require specified tag","policyType":"BuiltIn","mode":"Indexed","description":"Enforces - existence of a tag. Does not apply to resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag. Does not apply to resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99","type":"Microsoft.Authorization/policyDefinitions","name":"871b6d14-10aa-478d-b590-94f262ecfa99"}' headers: cache-control: - no-cache content-length: - - '655' + - '673' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:39 GMT + - Thu, 06 Feb 2020 00:16:02 GMT expires: - '-1' pragma: @@ -26884,7 +27799,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26901,7 +27816,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:40 GMT + - Thu, 06 Feb 2020 00:16:03 GMT expires: - '-1' pragma: @@ -26928,7 +27843,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26941,17 +27856,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c","type":"Microsoft.Authorization/policyDefinitions","name":"87b590fe-4a1d-4697-ae74-d4fe72ab786c"}' headers: cache-control: - no-cache content-length: - - '2685' + - '3269' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:41 GMT + - Thu, 06 Feb 2020 00:16:03 GMT expires: - '-1' pragma: @@ -26982,7 +27897,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -26999,7 +27914,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:42 GMT + - Thu, 06 Feb 2020 00:16:03 GMT expires: - '-1' pragma: @@ -27026,7 +27941,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27040,9 +27955,9 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names","description":"A semicolon-separated list of the names of the applications - that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', + that should not be installed. e.g. ''python; powershell''"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"not_installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent'', ''='', concat(''packages: ['', replace(parameters(''ApplicationName''), '';'', '',''), '']'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"not_installed_application_linux"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -27058,11 +27973,11 @@ interactions: cache-control: - no-cache content-length: - - '6702' + - '7150' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:43 GMT + - Thu, 06 Feb 2020 00:16:03 GMT expires: - '-1' pragma: @@ -27093,7 +28008,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27110,7 +28025,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:45 GMT + - Thu, 06 Feb 2020 00:16:04 GMT expires: - '-1' pragma: @@ -27137,7 +28052,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27149,7 +28064,8 @@ interactions: newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to to take advantage of security fixes, if any, and/or - new functionalities of the latest version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), @@ -27158,11 +28074,11 @@ interactions: cache-control: - no-cache content-length: - - '1866' + - '1884' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:47 GMT + - Thu, 06 Feb 2020 00:16:04 GMT expires: - '-1' pragma: @@ -27193,7 +28109,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27210,7 +28126,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:48 GMT + - Thu, 06 Feb 2020 00:16:05 GMT expires: - '-1' pragma: @@ -27237,7 +28153,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27248,16 +28164,16 @@ interactions: forwarding","policyType":"BuiltIn","mode":"Indexed","description":"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure''s check of the source and destination for a - network interface. This should be reviewed by the network security team.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"}' + network interface. This should be reviewed by the network security team.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"field":"Microsoft.Network/networkInterfaces/enableIpForwarding","equals":"true"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900","type":"Microsoft.Authorization/policyDefinitions","name":"88c0b9da-ce96-4b03-9635-f29a937e2900"}' headers: cache-control: - no-cache content-length: - - '816' + - '834' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:49 GMT + - Thu, 06 Feb 2020 00:16:05 GMT expires: - '-1' pragma: @@ -27288,7 +28204,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27305,7 +28221,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:51 GMT + - Thu, 06 Feb 2020 00:16:07 GMT expires: - '-1' pragma: @@ -27332,7 +28248,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27341,17 +28257,17 @@ interactions: body: string: '{"properties":{"displayName":"SQL servers should be configured with auditing retention days greater than 90 days.","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers configured with an auditing retention period of less than 90 days.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + SQL servers configured with an auditing retention period of less than 90 days.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/auditingSettings/retentionDays","greater":90}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743","type":"Microsoft.Authorization/policyDefinitions","name":"89099bee-89e0-4b26-a5f4-165451757743"}' headers: cache-control: - no-cache content-length: - - '992' + - '1010' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:52 GMT + - Thu, 06 Feb 2020 00:16:07 GMT expires: - '-1' pragma: @@ -27382,7 +28298,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27399,7 +28315,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:54 GMT + - Thu, 06 Feb 2020 00:16:07 GMT expires: - '-1' pragma: @@ -27426,7 +28342,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27439,17 +28355,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - System settings''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsSystemsettings","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b","type":"Microsoft.Authorization/policyDefinitions","name":"8a39d1f1-5513-4628-b261-f469a5a3341b"}' headers: cache-control: - no-cache content-length: - - '2667' + - '3251' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:54 GMT + - Thu, 06 Feb 2020 00:16:07 GMT expires: - '-1' pragma: @@ -27480,7 +28396,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27497,7 +28413,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:56 GMT + - Thu, 06 Feb 2020 00:16:08 GMT expires: - '-1' pragma: @@ -27524,7 +28440,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27536,17 +28452,17 @@ interactions: policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b","type":"Microsoft.Authorization/policyDefinitions","name":"8b0de57a-f511-4d45-a277-17cb79cb163b"}' headers: cache-control: - no-cache content-length: - - '2681' + - '3092' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:57 GMT + - Thu, 06 Feb 2020 00:16:08 GMT expires: - '-1' pragma: @@ -27577,7 +28493,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27594,7 +28510,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:58 GMT + - Thu, 06 Feb 2020 00:16:09 GMT expires: - '-1' pragma: @@ -27621,7 +28537,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27634,17 +28550,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec","type":"Microsoft.Authorization/policyDefinitions","name":"8bbd627e-4d25-4906-9a6e-3789780af3ec"}' headers: cache-control: - no-cache content-length: - - '2649' + - '3233' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:59 GMT + - Thu, 06 Feb 2020 00:16:10 GMT expires: - '-1' pragma: @@ -27675,7 +28591,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27692,7 +28608,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:00 GMT + - Thu, 06 Feb 2020 00:16:10 GMT expires: - '-1' pragma: @@ -27719,7 +28635,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27731,18 +28647,18 @@ interactions: service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","Equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae","type":"Microsoft.Authorization/policyDefinitions","name":"8c122334-9d20-4eb8-89ea-ac9a705b74ae"}' headers: cache-control: - no-cache content-length: - - '1232' + - '1250' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:01 GMT + - Thu, 06 Feb 2020 00:16:10 GMT expires: - '-1' pragma: @@ -27773,7 +28689,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27790,7 +28706,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:09:59 GMT + - Thu, 06 Feb 2020 00:16:10 GMT expires: - '-1' pragma: @@ -27817,7 +28733,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27826,17 +28742,17 @@ interactions: body: string: '{"properties":{"displayName":"Latest TLS version should be used in your API App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e","type":"Microsoft.Authorization/policyDefinitions","name":"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"}' headers: cache-control: - no-cache content-length: - - '930' + - '948' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:00 GMT + - Thu, 06 Feb 2020 00:16:11 GMT expires: - '-1' pragma: @@ -27867,7 +28783,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27884,7 +28800,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:05 GMT + - Thu, 06 Feb 2020 00:16:12 GMT expires: - '-1' pragma: @@ -27911,7 +28827,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27920,7 +28836,7 @@ interactions: body: string: '{"properties":{"displayName":"Require tag and its value on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces a required - tag and its value on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + tag and its value on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46","type":"Microsoft.Authorization/policyDefinitions","name":"8ce3da23-7156-49e4-b145-24f95f9dcb46"}' @@ -27928,11 +28844,11 @@ interactions: cache-control: - no-cache content-length: - - '902' + - '920' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:06 GMT + - Thu, 06 Feb 2020 00:16:12 GMT expires: - '-1' pragma: @@ -27963,7 +28879,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -27980,7 +28896,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:08 GMT + - Thu, 06 Feb 2020 00:16:12 GMT expires: - '-1' pragma: @@ -28007,51 +28923,60 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Object Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Object Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"Audit - Detailed File Share","description":"If this policy setting is enabled, access - to all shared files and folders on the system is audited. Auditing for Success - can lead to very high volumes of events."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"Audit - File Share","description":"Specifies whether to audit events related to file - shares: creation, deletion, modification, and access attempts. Also, it shows - failed SMB SPN checks. Event volumes can be high on DCs and File Servers."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"Audit - File System","description":"Specifies whether audit events are generated when - users attempt to access file system objects. Audit events are generated only - for objects that have configured system access control lists (SACLs)."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditDetailedFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Detailed File Share","description":"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"},"AuditFileShare":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File Share","description":"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers."},"allowedValues":["No Auditing","Success","Failure","Success and + Failure"],"defaultValue":"No Auditing"},"AuditFileSystem":{"type":"String","metadata":{"displayName":"[Preview]: + Audit File System","description":"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs)."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesObjectAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Detailed File Share;ExpectedValue'', ''='', parameters(''AuditDetailedFileShare''), '','', ''Audit File Share;ExpectedValue'', ''='', parameters(''AuditFileShare''), - '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit File System;ExpectedValue'', ''='', parameters(''AuditFileSystem'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesObjectAccess"},"AuditDetailedFileShare":{"value":"[parameters(''AuditDetailedFileShare'')]"},"AuditFileShare":{"value":"[parameters(''AuditFileShare'')]"},"AuditFileSystem":{"value":"[parameters(''AuditFileSystem'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditDetailedFileShare":{"type":"string"},"AuditFileShare":{"type":"string"},"AuditFileSystem":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit + File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Detailed File Share;ExpectedValue","value":"[parameters(''AuditDetailedFileShare'')]"},{"name":"Audit File Share;ExpectedValue","value":"[parameters(''AuditFileShare'')]"},{"name":"Audit - File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + File System;ExpectedValue","value":"[parameters(''AuditFileSystem'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a","type":"Microsoft.Authorization/policyDefinitions","name":"8e170edb-e0f5-497a-bb36-48b3280cec6a"}' headers: cache-control: - no-cache content-length: - - '6566' + - '8282' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:09 GMT + - Thu, 06 Feb 2020 00:16:13 GMT expires: - '-1' pragma: @@ -28082,7 +29007,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28099,7 +29024,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:10 GMT + - Thu, 06 Feb 2020 00:16:13 GMT expires: - '-1' pragma: @@ -28126,7 +29051,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28140,7 +29065,8 @@ interactions: system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"StorePasswordsUsingReversibleEncryption","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"StorePasswordsUsingReversibleEncryption"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -28152,11 +29078,11 @@ interactions: cache-control: - no-cache content-length: - - '5296' + - '5730' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:11 GMT + - Thu, 06 Feb 2020 00:16:14 GMT expires: - '-1' pragma: @@ -28187,7 +29113,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28204,7 +29130,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:12 GMT + - Thu, 06 Feb 2020 00:16:14 GMT expires: - '-1' pragma: @@ -28231,94 +29157,97 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Windows Firewall Properties''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Firewall Properties''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Domain profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Behavior for outbound connections","description":"Specifies + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"WindowsFirewallDomainUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Domain): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Domain - profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Private - profile to filter network traffic. If you select Off, Windows Firewall with - Advanced Security will not use any of the firewall rules or connection security - rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Behavior for outbound connections","description":"Specifies + for the Domain profile."},"defaultValue":"1"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile."},"defaultValue":"1"},"WindowsFirewallDomainDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Domain): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile."},"defaultValue":"1"},"WindowsFirewallPrivateUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Private): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Private - profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Use profile settings","description":"Specifies whether - Windows Firewall with Advanced Security uses the settings for the Public profile - to filter network traffic. If you select Off, Windows Firewall with Advanced - Security will not use any of the firewall rules or connection security rules - for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Behavior for outbound connections","description":"Specifies + for the Private profile."},"defaultValue":"1"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile."},"defaultValue":"1"},"WindowsFirewallPrivateDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Private): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile."},"defaultValue":"1"},"WindowsFirewallPublicUseProfileSettings":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Use profile settings","description":"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile."},"defaultValue":"1"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Behavior for outbound connections","description":"Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, - and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local connection security rules","description":"Specifies + and a value of 1 means to block connections."},"defaultValue":"0"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local connection security rules","description":"Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy - for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Apply local firewall rules","description":"Specifies whether - local administrators are allowed to create local firewall rules that apply - together with firewall rules configured by Group Policy for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"Windows - Firewall (Public): Display notifications","description":"Specifies whether - Windows Firewall with Advanced Security displays notifications to the user - when a program is blocked from receiving inbound connections, for the Public - profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Domain: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Private: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"Windows - Firewall: Public: Allow unicast response","description":"Specifies whether - Windows Firewall with Advanced Security permits the local computer to receive - unicast responses to its outgoing multicast or broadcast messages; for the - Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows + for the Public profile."},"defaultValue":"1"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Apply local firewall rules","description":"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile."},"defaultValue":"1"},"WindowsFirewallPublicDisplayNotifications":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall (Public): Display notifications","description":"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile."},"defaultValue":"1"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Domain: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile."},"defaultValue":"0"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Private: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile."},"defaultValue":"0"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"String","metadata":{"displayName":"[Preview]: + Windows Firewall: Public: Allow unicast response","description":"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsFirewallProperties","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Windows Firewall: Domain: Firewall state;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainUseProfileSettings''), '','', ''Windows Firewall: Domain: Outbound connections;ExpectedValue'', ''='', parameters(''WindowsFirewallDomainBehaviorForOutboundConnections''), '','', @@ -28350,7 +29279,28 @@ interactions: '','', ''Windows Firewall: Private: Allow unicast response;ExpectedValue'', ''='', parameters(''WindowsFirewallPrivateAllowUnicastResponse''), '','', ''Windows Firewall: Public: Allow unicast response;ExpectedValue'', ''='', - parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''WindowsFirewallPublicAllowUnicastResponse'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_WindowsFirewallProperties"},"WindowsFirewallDomainUseProfileSettings":{"value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallDomainApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},"WindowsFirewallDomainDisplayNotifications":{"value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},"WindowsFirewallPrivateUseProfileSettings":{"value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},"WindowsFirewallPrivateDisplayNotifications":{"value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},"WindowsFirewallPublicUseProfileSettings":{"value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},"WindowsFirewallPublicApplyLocalFirewallRules":{"value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},"WindowsFirewallPublicDisplayNotifications":{"value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},"WindowsFirewallDomainAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},"WindowsFirewallPrivateAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},"WindowsFirewallPublicAllowUnicastResponse":{"value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"WindowsFirewallDomainUseProfileSettings":{"type":"string"},"WindowsFirewallDomainBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallDomainApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallDomainApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallDomainDisplayNotifications":{"type":"string"},"WindowsFirewallPrivateUseProfileSettings":{"type":"string"},"WindowsFirewallPrivateBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPrivateApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPrivateApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPrivateDisplayNotifications":{"type":"string"},"WindowsFirewallPublicUseProfileSettings":{"type":"string"},"WindowsFirewallPublicBehaviorForOutboundConnections":{"type":"string"},"WindowsFirewallPublicApplyLocalConnectionSecurityRules":{"type":"string"},"WindowsFirewallPublicApplyLocalFirewallRules":{"type":"string"},"WindowsFirewallPublicDisplayNotifications":{"type":"string"},"WindowsFirewallDomainAllowUnicastResponse":{"type":"string"},"WindowsFirewallPrivateAllowUnicastResponse":{"type":"string"},"WindowsFirewallPublicAllowUnicastResponse":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows + Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows + Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallDomainApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallDomainDisplayNotifications'')]"},{"name":"Windows + Firewall: Private: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateUseProfileSettings'')]"},{"name":"Windows + Firewall: Private: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateDisplayNotifications'')]"},{"name":"Windows + Firewall: Public: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallPublicUseProfileSettings'')]"},{"name":"Windows + Firewall: Public: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallPublicBehaviorForOutboundConnections'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalConnectionSecurityRules'')]"},{"name":"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue","value":"[parameters(''WindowsFirewallPublicApplyLocalFirewallRules'')]"},{"name":"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows + Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Windows Firewall: Domain: Firewall state;ExpectedValue","value":"[parameters(''WindowsFirewallDomainUseProfileSettings'')]"},{"name":"Windows Firewall: Domain: Outbound connections;ExpectedValue","value":"[parameters(''WindowsFirewallDomainBehaviorForOutboundConnections'')]"},{"name":"Windows @@ -28369,17 +29319,19 @@ interactions: Firewall: Public: Settings: Display a notification;ExpectedValue","value":"[parameters(''WindowsFirewallPublicDisplayNotifications'')]"},{"name":"Windows Firewall: Domain: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallDomainAllowUnicastResponse'')]"},{"name":"Windows Firewall: Private: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPrivateAllowUnicastResponse'')]"},{"name":"Windows - Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Firewall: Public: Allow unicast response;ExpectedValue","value":"[parameters(''WindowsFirewallPublicAllowUnicastResponse'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9","type":"Microsoft.Authorization/policyDefinitions","name":"909c958d-1b99-4c74-b88f-46a5c5bc34f9"}' headers: cache-control: - no-cache content-length: - - '20256' + - '24626' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:13 GMT + - Thu, 06 Feb 2020 00:16:14 GMT expires: - '-1' pragma: @@ -28410,7 +29362,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28427,7 +29379,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:15 GMT + - Thu, 06 Feb 2020 00:16:15 GMT expires: - '-1' pragma: @@ -28454,7 +29406,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28468,13 +29420,13 @@ interactions: creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Modules":{"type":"String","metadata":{"displayName":"PowerShell Modules","description":"A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, - 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', + 12.0.0.0; ComputerManagementDsc, 6.1.0.0"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellModules","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellModules]PowerShellModules1;Modules'', ''='', parameters(''Modules'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellModules"},"Modules":{"value":"[parameters(''Modules'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Modules":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellModules]PowerShellModules1;Modules","value":"[parameters(''Modules'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -28487,11 +29439,11 @@ interactions: cache-control: - no-cache content-length: - - '6229' + - '6640' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:16 GMT + - Thu, 06 Feb 2020 00:16:15 GMT expires: - '-1' pragma: @@ -28522,7 +29474,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28539,7 +29491,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:18 GMT + - Thu, 06 Feb 2020 00:16:17 GMT expires: - '-1' pragma: @@ -28566,7 +29518,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28579,17 +29531,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Windows Components''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_WindowsComponents","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897","type":"Microsoft.Authorization/policyDefinitions","name":"9178b430-2295-406e-bb28-f6a7a2a2f897"}' headers: cache-control: - no-cache content-length: - - '2623' + - '3207' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:19 GMT + - Thu, 06 Feb 2020 00:16:17 GMT expires: - '-1' pragma: @@ -28620,7 +29572,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28637,7 +29589,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:21 GMT + - Thu, 06 Feb 2020 00:16:17 GMT expires: - '-1' pragma: @@ -28664,7 +29616,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28674,18 +29626,18 @@ interactions: string: '{"properties":{"displayName":"MFA should be enabled accounts with write permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - write privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + write privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForWritePermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3","type":"Microsoft.Authorization/policyDefinitions","name":"9297c21d-2ed6-4474-b48f-163f75654ce3"}' headers: cache-control: - no-cache content-length: - - '1104' + - '1122' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:22 GMT + - Thu, 06 Feb 2020 00:16:17 GMT expires: - '-1' pragma: @@ -28716,7 +29668,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28733,7 +29685,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:23 GMT + - Thu, 06 Feb 2020 00:16:18 GMT expires: - '-1' pragma: @@ -28760,7 +29712,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28773,17 +29725,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab","type":"Microsoft.Authorization/policyDefinitions","name":"9328f27e-611e-44a7-a244-39109d7d35ab"}' headers: cache-control: - no-cache content-length: - - '2791' + - '3225' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:24 GMT + - Thu, 06 Feb 2020 00:16:19 GMT expires: - '-1' pragma: @@ -28814,7 +29766,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28831,7 +29783,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:26 GMT + - Thu, 06 Feb 2020 00:16:19 GMT expires: - '-1' pragma: @@ -28858,7 +29810,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28873,11 +29825,11 @@ interactions: It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MembersToInclude":{"type":"String","metadata":{"displayName":"Members to include","description":"A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; - myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', + myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;MembersToInclude'', ''='', parameters(''MembersToInclude'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembersToInclude"},"MembersToInclude":{"value":"[parameters(''MembersToInclude'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MembersToInclude":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;MembersToInclude","value":"[parameters(''MembersToInclude'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -28890,11 +29842,11 @@ interactions: cache-control: - no-cache content-length: - - '6158' + - '6569' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:27 GMT + - Thu, 06 Feb 2020 00:16:19 GMT expires: - '-1' pragma: @@ -28925,7 +29877,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28942,7 +29894,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:28 GMT + - Thu, 06 Feb 2020 00:16:20 GMT expires: - '-1' pragma: @@ -28969,7 +29921,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -28978,16 +29930,16 @@ interactions: body: string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation only in European data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: North Europe, West Europe","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"}' + resource creation in the following locations only: North Europe, West Europe","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["northeurope","westeurope"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b","type":"Microsoft.Authorization/policyDefinitions","name":"94c19f19-8192-48cd-a11b-e37099d3e36b"}' headers: cache-control: - no-cache content-length: - - '610' + - '639' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:29 GMT + - Thu, 06 Feb 2020 00:16:21 GMT expires: - '-1' pragma: @@ -29018,7 +29970,103 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''95bccee9-a7f8-4bec-9ee9-62c3473701fc'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:21 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Authentication should be enabled on your + web app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App + Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc","type":"Microsoft.Authorization/policyDefinitions","name":"95bccee9-a7f8-4bec-9ee9-62c3473701fc"}' + headers: + cache-control: + - no-cache + content-length: + - '1099' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:21 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29035,7 +30083,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:31 GMT + - Thu, 06 Feb 2020 00:16:22 GMT expires: - '-1' pragma: @@ -29062,7 +30110,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29070,18 +30118,18 @@ interactions: response: body: string: '{"properties":{"displayName":"Require specified tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Enforces - existence of a tag on resource groups.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + existence of a tag on resource groups.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025","type":"Microsoft.Authorization/policyDefinitions","name":"96670d01-0a4d-4649-9c89-2d3abc0a5025"}' headers: cache-control: - no-cache content-length: - - '743' + - '761' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:32 GMT + - Thu, 06 Feb 2020 00:16:22 GMT expires: - '-1' pragma: @@ -29112,7 +30160,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29129,7 +30177,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:33 GMT + - Thu, 06 Feb 2020 00:16:24 GMT expires: - '-1' pragma: @@ -29156,7 +30204,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29167,17 +30215,17 @@ interactions: server should contain an email address to receive security alerts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure that an email address is provided for the ''Send alerts to'' field in the Advanced Data Security server settings. This email address receives alert - notifications when anomalous activities are detected on SQL servers.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + notifications when anomalous activities are detected on SQL servers.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278","type":"Microsoft.Authorization/policyDefinitions","name":"9677b740-f641-4f3c-b9c5-466005c85278"}' headers: cache-control: - no-cache content-length: - - '1167' + - '1185' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:34 GMT + - Thu, 06 Feb 2020 00:16:24 GMT expires: - '-1' pragma: @@ -29208,7 +30256,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29225,7 +30273,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:37 GMT + - Thu, 06 Feb 2020 00:16:25 GMT expires: - '-1' pragma: @@ -29252,7 +30300,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29265,17 +30313,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf","type":"Microsoft.Authorization/policyDefinitions","name":"97646672-5efa-4622-9b54-740270ad60bf"}' headers: cache-control: - no-cache content-length: - - '2677' + - '3261' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:38 GMT + - Thu, 06 Feb 2020 00:16:25 GMT expires: - '-1' pragma: @@ -29306,7 +30354,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29323,7 +30371,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:40 GMT + - Thu, 06 Feb 2020 00:16:25 GMT expires: - '-1' pragma: @@ -29350,47 +30398,54 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Policy Change''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authentication Policy Change","description":"Specifies whether audit events - are generated when changes are made to authentication policy. This setting - is useful for tracking changes in domain-level and forest-level trust and - privileges that are granted to user accounts or groups."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"Audit - Authorization Policy Change","description":"Specifies whether audit events - are generated for assignment and removal of user rights in user right policies, - changes in security token object permission, resource attributes changes and - Central Access Policy changes for file system objects."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditAuthenticationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authentication Policy Change","description":"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"},"AuditAuthorizationPolicyChange":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Authorization Policy Change","description":"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit Authentication Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthenticationPolicyChange''), - '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Audit Authorization Policy Change;ExpectedValue'', ''='', parameters(''AuditAuthorizationPolicyChange'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPolicyChange"},"AuditAuthenticationPolicyChange":{"value":"[parameters(''AuditAuthenticationPolicyChange'')]"},"AuditAuthorizationPolicyChange":{"value":"[parameters(''AuditAuthorizationPolicyChange'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditAuthenticationPolicyChange":{"type":"string"},"AuditAuthorizationPolicyChange":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit Authentication Policy Change;ExpectedValue","value":"[parameters(''AuditAuthenticationPolicyChange'')]"},{"name":"Audit - Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Authorization Policy Change;ExpectedValue","value":"[parameters(''AuditAuthorizationPolicyChange'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13","type":"Microsoft.Authorization/policyDefinitions","name":"97b595c8-fd10-400e-8543-28e2b9138b13"}' headers: cache-control: - no-cache content-length: - - '6247' + - '7918' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:41 GMT + - Thu, 06 Feb 2020 00:16:26 GMT expires: - '-1' pragma: @@ -29421,7 +30476,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29438,7 +30493,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:42 GMT + - Thu, 06 Feb 2020 00:16:27 GMT expires: - '-1' pragma: @@ -29465,7 +30520,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29475,16 +30530,16 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation only in United States data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows resource creation in the following locations only: Central US, East US, East - US2, North Central US, South Central US, West US","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"}' + US2, North Central US, South Central US, West US","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["centralus","eastus","eastus2","northcentralus","southcentralus","westus"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869","type":"Microsoft.Authorization/policyDefinitions","name":"983211ba-f348-4758-983b-21fa29294869"}' headers: cache-control: - no-cache content-length: - - '711' + - '740' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:43 GMT + - Thu, 06 Feb 2020 00:16:27 GMT expires: - '-1' pragma: @@ -29515,7 +30570,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29532,7 +30587,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:44 GMT + - Thu, 06 Feb 2020 00:16:28 GMT expires: - '-1' pragma: @@ -29559,49 +30614,57 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Network''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Network''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"Enable - insecure guest logons","description":"Specifies whether the SMB client will - allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"Allow - simultaneous connections to the Internet or a Windows Domain","description":"Specify + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnableInsecureGuestLogons":{"type":"String","metadata":{"displayName":"[Preview]: + Enable insecure guest logons","description":"Specifies whether the SMB client + will allow insecure guest logons to an SMB server."},"defaultValue":"0"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"String","metadata":{"displayName":"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain","description":"Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous - connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"Turn - off multicast name resolution","description":"Specifies whether LLMNR, a secondary - name resolution protocol that transmits using multicast over a local subnet - link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable + connections, and a value of 1 blocks them."},"defaultValue":"1"},"TurnOffMulticastNameResolution":{"type":"String","metadata":{"displayName":"[Preview]: + Turn off multicast name resolution","description":"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesNetwork","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enable insecure guest logons;ExpectedValue'', ''='', parameters(''EnableInsecureGuestLogons''), '','', ''Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue'', ''='', parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain''), - '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + '','', ''Turn off multicast name resolution;ExpectedValue'', ''='', parameters(''TurnOffMulticastNameResolution'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesNetwork"},"EnableInsecureGuestLogons":{"value":"[parameters(''EnableInsecureGuestLogons'')]"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},"TurnOffMulticastNameResolution":{"value":"[parameters(''TurnOffMulticastNameResolution'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnableInsecureGuestLogons":{"type":"string"},"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain":{"type":"string"},"TurnOffMulticastNameResolution":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn - off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enable + insecure guest logons;ExpectedValue","value":"[parameters(''EnableInsecureGuestLogons'')]"},{"name":"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue","value":"[parameters(''AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'')]"},{"name":"Turn + off multicast name resolution;ExpectedValue","value":"[parameters(''TurnOffMulticastNameResolution'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8","type":"Microsoft.Authorization/policyDefinitions","name":"985285b7-b97a-419c-8d48-c88cc934c8d8"}' headers: cache-control: - no-cache content-length: - - '6798' + - '8662' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:45 GMT + - Thu, 06 Feb 2020 00:16:28 GMT expires: - '-1' pragma: @@ -29632,7 +30695,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -29649,7 +30712,598 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:48 GMT + - Thu, 06 Feb 2020 00:16:29 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, + if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + newer versions are released for HTTP either due to security flaws or to include + additional functionality. Using the latest HTTP version for web apps to take + advantage of security fixes, if any, and/or new functionalities of the newer + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"}' + headers: + cache-control: + - no-cache + content-length: + - '1195' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:29 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9a1b8c48-453a-4044-86c3-d8bfd823e4f5'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:29 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"FTPS only should be required in your + API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable FTPS + enforcement for enhanced security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"}' + headers: + cache-control: + - no-cache + content-length: + - '956' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:29 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9a7c7a7d-49e5-4213-bea8-6a502b6272e0'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:31 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Azure + SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys + the diagnostic settings for Azure SQL Database to stream to a regional Event + Hub on any Azure SQL Database which is missing this diagnostic settings is + created or updated.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled + diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"}' + headers: + cache-control: + - no-cache + content-length: + - '4325' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:31 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9b597639-28e4-48eb-b506-56b05d366257'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:32 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Microsoft IaaSAntimalware extension should + be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Windows server VM without Microsoft IaaSAntimalware extension + deployed.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"}' + headers: + cache-control: + - no-cache + content-length: + - '1926' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:33 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9bfe3727-0a17-471f-a2fe-eddd6b668745'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:33 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications + that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use + the latest supported Java version for the latest security classes. Using older + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"}' + headers: + cache-control: + - no-cache + content-length: + - '1229' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:33 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:35 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Ensure that ''Java version'' is the latest, + if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + newer versions are released for Java software either due to security flaws + or to include additional functionality. Using the latest Java version for + Function apps is recommended in order to to take advantage of security fixes, + if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.1","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest + Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', + parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), + ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"}' + headers: + cache-control: + - no-cache + content-length: + - '1908' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:35 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''9daedab3-fb2d-461e-b861-71790eead4f6'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:16:35 GMT expires: - '-1' pragma: @@ -29676,123 +31330,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db?api-version=2019-09-01 - response: - body: - string: '{"properties":{"displayName":"Ensure that ''HTTP Version'' is the latest, - if used to run the Api app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, - newer versions are released for HTTP either due to security flaws or to include - additional functionality. Using the latest HTTP version for web apps to take - advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db","type":"Microsoft.Authorization/policyDefinitions","name":"991310cd-e9f3-47bc-b7b6-f57b557d07db"}' - headers: - cache-control: - - no-cache - content-length: - - '1177' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:10:49 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5?api-version=2019-09-01 - response: - body: - string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9a1b8c48-453a-4044-86c3-d8bfd823e4f5'' could not be found."}}' - headers: - cache-control: - - no-cache - content-length: - - '138' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:10:50 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - status: - code: 404 - message: Not Found -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"FTPS only should be required in your - API App","policyType":"BuiltIn","mode":"Indexed","description":"Enable FTPS - enforcement for enhanced security","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/ftpsState","equals":"FtpsOnly"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5","type":"Microsoft.Authorization/policyDefinitions","name":"9a1b8c48-453a-4044-86c3-d8bfd823e4f5"}' + string: '{"properties":{"displayName":"Access through Internet facing endpoint + should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure + Security center has identified some of your Network Security Groups'' inbound + rules to be too permissive. Inbound rules should not allow access from ''Any'' + or ''Internet'' ranges. This can potentially enable attackers to easily target + your resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"}' headers: cache-control: - no-cache content-length: - - '938' + - '1250' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:51 GMT + - Thu, 06 Feb 2020 00:16:35 GMT expires: - '-1' pragma: @@ -29823,15 +31383,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9a7c7a7d-49e5-4213-bea8-6a502b6272e0'' could not be found."}}' + ''9ea02ca2-71db-412d-8b00-7c7ca9fcd32d'' could not be found."}}' headers: cache-control: - no-cache @@ -29840,7 +31400,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:53 GMT + - Thu, 06 Feb 2020 00:16:37 GMT expires: - '-1' pragma: @@ -29867,39 +31427,32 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Azure - SQL Database to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Azure SQL Database to stream to a regional Event - Hub on any Azure SQL Database which is missing this diagnostic settings is - created or updated.","metadata":{"category":"SQL"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"fullName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"resources":[{"type":"Microsoft.Sql/servers/databases/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''fullName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"QueryStoreRuntimeStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"QueryStoreWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Errors","enabled":"[parameters(''logsEnabled'')]"},{"category":"DatabaseWaitStatistics","enabled":"[parameters(''logsEnabled'')]"},{"category":"Blocks","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLInsights","enabled":"[parameters(''logsEnabled'')]"},{"category":"Audit","enabled":"[parameters(''logsEnabled'')]"},{"category":"SQLSecurityAuditEvents","enabled":"[parameters(''logsEnabled'')]"},{"category":"Timeouts","enabled":"[parameters(''logsEnabled'')]"},{"category":"AutomaticTuning","enabled":"[parameters(''logsEnabled'')]"},{"category":"Deadlocks","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat(''Enabled - diagnostic settings for '', parameters(''fullName''))]"}}},"parameters":{"location":{"value":"[field(''location'')]"},"fullName":{"value":"[field(''fullName'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0","type":"Microsoft.Authorization/policyDefinitions","name":"9a7c7a7d-49e5-4213-bea8-6a502b6272e0"}' + string: '{"properties":{"displayName":"Append tag and its value from the resource + group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the + specified tag with its value from the resource group when any resource which + is missing this tag is created or updated. Does not modify the tags of resources + created before this policy was applied until those resources are changed. + New ''modify'' effect policies are available that support remediation of tags + on existing resources (see https://aka.ms/modifydoc).","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', + parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"}' headers: cache-control: - no-cache content-length: - - '4307' + - '1223' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:54 GMT + - Thu, 06 Feb 2020 00:16:37 GMT expires: - '-1' pragma: @@ -29930,15 +31483,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9b597639-28e4-48eb-b506-56b05d366257'' could not be found."}}' + ''9f658460-46b7-43af-8565-94fc0662be38'' could not be found."}}' headers: cache-control: - no-cache @@ -29947,7 +31500,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:55 GMT + - Thu, 06 Feb 2020 00:16:38 GMT expires: - '-1' pragma: @@ -29974,27 +31527,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Microsoft IaaSAntimalware extension should - be deployed on Windows servers","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Windows server VM without Microsoft IaaSAntimalware extension - deployed.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageOffer","equals":"WindowsServer"},{"field":"Microsoft.Compute/imageSKU","in":["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers","2019-Datacenter-with-Containers-smalldisk"]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257","type":"Microsoft.Authorization/policyDefinitions","name":"9b597639-28e4-48eb-b506-56b05d366257"}' + string: '{"properties":{"displayName":"Show audit results from Windows VMs that + are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that are not set to the specified time zone. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"}' headers: cache-control: - no-cache content-length: - - '1908' + - '3131' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:56 GMT + - Thu, 06 Feb 2020 00:16:39 GMT expires: - '-1' pragma: @@ -30025,15 +31580,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9bfe3727-0a17-471f-a2fe-eddd6b668745'' could not be found."}}' + ''a030a57e-4639-4e8f-ade9-a92f33afe7ee'' could not be found."}}' headers: cache-control: - no-cache @@ -30042,7 +31597,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:10:58 GMT + - Thu, 06 Feb 2020 00:16:39 GMT expires: - '-1' pragma: @@ -30069,28 +31624,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications - that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745","type":"Microsoft.Authorization/policyDefinitions","name":"9bfe3727-0a17-471f-a2fe-eddd6b668745"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which the Log Analytics agent is not + connected to the specified workspaces. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"}' headers: cache-control: - no-cache content-length: - - '1201' + - '3236' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:00 GMT + - Thu, 06 Feb 2020 00:16:40 GMT expires: - '-1' pragma: @@ -30121,15 +31678,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc'' could not be found."}}' + ''a08ec900-254a-4555-9bf5-e42af04b5c5c'' could not be found."}}' headers: cache-control: - no-cache @@ -30138,7 +31695,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:01 GMT + - Thu, 06 Feb 2020 00:16:40 GMT expires: - '-1' pragma: @@ -30165,33 +31722,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Ensure that ''Java version'' is the latest, - if used as a part of the Funtion app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, - newer versions are released for Java software either due to security flaws - or to include additional functionality. Using the latest Java version for - Function apps is recommended in order to to take advantage of security fixes, - if any, and/or new functionalities of the latest version.","metadata":{"category":"App - Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"JavaLatestVersion":{"type":"String","metadata":{"displayName":"Latest - Java version","description":"Latest supported Java version for App Services"},"defaultValue":"11"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"JAVA"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","like":"[concat(''*'', - parameters(''JavaLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.javaVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.javaVersion","like":"[concat(parameters(''JavaLatestVersion''), - ''*'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc","type":"Microsoft.Authorization/policyDefinitions","name":"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"}' + string: '{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables you to specify the resource types that your organization can + deploy. Only resource types that support ''tags'' and ''location'' will be + affected by this policy. To restrict all resources please duplicate this policy + and change the ''mode'' to ''All''.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The + list of resource types that can be deployed.","displayName":"Allowed resource + types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"}' headers: cache-control: - no-cache content-length: - - '1890' + - '948' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:01 GMT + - Thu, 06 Feb 2020 00:16:41 GMT expires: - '-1' pragma: @@ -30222,15 +31775,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9daedab3-fb2d-461e-b861-71790eead4f6'' could not be found."}}' + ''a1181c5f-672a-477a-979a-7d58aa086233'' could not be found."}}' headers: cache-control: - no-cache @@ -30239,7 +31792,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:04 GMT + - Thu, 06 Feb 2020 00:16:41 GMT expires: - '-1' pragma: @@ -30266,29 +31819,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Access through Internet facing endpoint - should be restricted","policyType":"BuiltIn","mode":"All","description":"Azure - Security center has identified some of your Network Security Groups'' inbound - rules to be too permissive. Inbound rules should not allow access from ''Any'' - or ''Internet'' ranges. This can potentially enable attackers to easily target - your resources.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"unprotectedNetworkEndpoint","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type":"Microsoft.Authorization/policyDefinitions","name":"9daedab3-fb2d-461e-b861-71790eead4f6"}' + string: '{"properties":{"displayName":"Security Center standard pricing tier + should be selected","policyType":"BuiltIn","mode":"All","description":"The + standard pricing tier enables threat detection for networks and virtual machines, + providing threat intelligence, anomaly detection, and behavior analytics in + Azure Security Center","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"}' headers: cache-control: - no-cache content-length: - - '1232' + - '1053' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:04 GMT + - Thu, 06 Feb 2020 00:16:41 GMT expires: - '-1' pragma: @@ -30319,15 +31872,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9ea02ca2-71db-412d-8b00-7c7ca9fcd32d'' could not be found."}}' + ''a1817ec0-a368-432a-8057-8371e17ac6ee'' could not be found."}}' headers: cache-control: - no-cache @@ -30336,7 +31889,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:05 GMT + - Thu, 06 Feb 2020 00:16:43 GMT expires: - '-1' pragma: @@ -30363,32 +31916,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Append tag and its value from the resource - group","policyType":"BuiltIn","mode":"Indexed","description":"Appends the - specified tag with its value from the resource group when any resource which - is missing this tag is created or updated. Does not modify the tags of resources - created before this policy was applied until those resources are changed. - New ''modify'' effect policies are available that support remediation of tags - on existing resources (see https://aka.ms/modifydoc).","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag - Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"append","details":[{"field":"[concat(''tags['', - parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d","type":"Microsoft.Authorization/policyDefinitions","name":"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"}' + string: '{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey + should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service + Bus clients should not use a namespace level access policy that provides access + to all queues and topics in a namespace. To align with the least privilege + security model, you shoud create access policies at the entity level for queues + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Service + Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"}' headers: cache-control: - no-cache content-length: - - '1205' + - '1186' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:06 GMT + - Thu, 06 Feb 2020 00:16:43 GMT expires: - '-1' pragma: @@ -30419,15 +31970,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''9f658460-46b7-43af-8565-94fc0662be38'' could not be found."}}' + ''a1dae6c7-13f3-48ea-a149-ff8442661f60'' could not be found."}}' headers: cache-control: - no-cache @@ -30436,7 +31987,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:08 GMT + - Thu, 06 Feb 2020 00:16:44 GMT expires: - '-1' pragma: @@ -30463,29 +32014,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Show audit results from Windows VMs that - are not set to the specified time zone","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that are not set to the specified time zone. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38","type":"Microsoft.Authorization/policyDefinitions","name":"9f658460-46b7-43af-8565-94fc0662be38"}' + string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Logic + Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys + the diagnostic settings for Logic Apps to stream to a regional Event Hub when + any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event + Hub Authorization Rule Id","description":"The Event Hub authorization rule + Id for Azure Diagnostics. The authorization rule needs to be at Event Hub + namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60","type":"Microsoft.Authorization/policyDefinitions","name":"a1dae6c7-13f3-48ea-a149-ff8442661f60"}' headers: cache-control: - no-cache content-length: - - '2720' + - '3739' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:09 GMT + - Thu, 06 Feb 2020 00:16:44 GMT expires: - '-1' pragma: @@ -30516,15 +32076,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a030a57e-4639-4e8f-ade9-a92f33afe7ee'' could not be found."}}' + ''a1e8dda3-9fd2-4835-aec3-0e55531fde33'' could not be found."}}' headers: cache-control: - no-cache @@ -30533,7 +32093,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:11 GMT + - Thu, 06 Feb 2020 00:16:46 GMT expires: - '-1' pragma: @@ -30560,127 +32120,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33?api-version=2019-09-01 response: body: string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs on which the Log Analytics agent is not connected as expected","policyType":"BuiltIn","mode":"All","description":"This + VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which the Log Analytics agent is not - connected to the specified workspaces. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsLogAnalyticsAgentConnection","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee","type":"Microsoft.Authorization/policyDefinitions","name":"a030a57e-4639-4e8f-ade9-a92f33afe7ee"}' - headers: - cache-control: - - no-cache - content-length: - - '2802' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:11:12 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding,Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c?api-version=2019-09-01 - response: - body: - string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a08ec900-254a-4555-9bf5-e42af04b5c5c'' could not be found."}}' - headers: - cache-control: - - no-cache - content-length: - - '138' - content-type: - - application/json; charset=utf-8 - date: - - Fri, 06 Dec 2019 22:11:13 GMT - expires: - - '-1' - pragma: - - no-cache - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - status: - code: 404 - message: Not Found -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - policy definition show - Connection: - - keep-alive - ParameterSetName: - - -n - User-Agent: - - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 - accept-language: - - en-US - method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c?api-version=2019-09-01 - response: - body: - string: '{"properties":{"displayName":"Allowed resource types","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables you to specify the resource types that your organization can - deploy. Only resource types that support ''tags'' and ''location'' will be - affected by this policy. To restrict all resources please duplicate this policy - and change the ''mode'' to ''All''.","metadata":{"category":"General"},"parameters":{"listOfResourceTypesAllowed":{"type":"Array","metadata":{"description":"The - list of resource types that can be deployed.","displayName":"Allowed resource - types","strongType":"resourceTypes"}}},"policyRule":{"if":{"not":{"field":"type","in":"[parameters(''listOfResourceTypesAllowed'')]"}},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c","type":"Microsoft.Authorization/policyDefinitions","name":"a08ec900-254a-4555-9bf5-e42af04b5c5c"}' + auditing Windows virtual machines with non-compliant settings in Group Policy + category: ''Administrative Templates - System''. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"}' headers: cache-control: - no-cache content-length: - - '930' + - '3249' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:14 GMT + - Thu, 06 Feb 2020 00:16:46 GMT expires: - '-1' pragma: @@ -30711,15 +32174,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a1181c5f-672a-477a-979a-7d58aa086233'' could not be found."}}' + ''a29ee95c-0395-4515-9851-cc04ffe82a91'' could not be found."}}' headers: cache-control: - no-cache @@ -30728,7 +32191,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:16 GMT + - Thu, 06 Feb 2020 00:16:46 GMT expires: - '-1' pragma: @@ -30755,28 +32218,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Security Center standard pricing tier - should be selected","policyType":"BuiltIn","mode":"All","description":"The - standard pricing tier enables threat detection for networks and virtual machines, - providing threat intelligence, anomaly detection, and behavior analytics in - Azure Security Center","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Security/pricings"},{"field":"Microsoft.Security/pricings/pricingTier","exists":"true"},{"field":"Microsoft.Security/pricings/pricingTier","notEquals":"Standard"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233","type":"Microsoft.Authorization/policyDefinitions","name":"a1181c5f-672a-477a-979a-7d58aa086233"}' + string: '{"properties":{"displayName":"Show audit results from Windows VMs that + are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that are not joined to the specified domain. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"}' headers: cache-control: - no-cache content-length: - - '1035' + - '3139' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:17 GMT + - Thu, 06 Feb 2020 00:16:47 GMT expires: - '-1' pragma: @@ -30807,15 +32271,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a1817ec0-a368-432a-8057-8371e17ac6ee'' could not be found."}}' + ''a451c1ef-c6ca-483d-87ed-f49761e3ffb5'' could not be found."}}' headers: cache-control: - no-cache @@ -30824,7 +32288,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:19 GMT + - Thu, 06 Feb 2020 00:16:48 GMT expires: - '-1' pragma: @@ -30851,30 +32315,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey - should be removed from Service Bus namespace","policyType":"BuiltIn","mode":"All","description":"Service - Bus clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Service - Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceBus/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee","type":"Microsoft.Authorization/policyDefinitions","name":"a1817ec0-a368-432a-8057-8371e17ac6ee"}' + string: '{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit + built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC + roles, which are error prone. Using custom roles is treated as an exception + and requires a rigorous review and threat modeling","metadata":{"version":"1.0.0","category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"}' headers: cache-control: - no-cache content-length: - - '1168' + - '993' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:19 GMT + - Thu, 06 Feb 2020 00:16:48 GMT expires: - '-1' pragma: @@ -30905,15 +32366,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a1dae6c7-13f3-48ea-a149-ff8442661f60'' could not be found."}}' + ''a4af4a39-4135-47fb-b175-47fbdf85311d'' could not be found."}}' headers: cache-control: - no-cache @@ -30922,7 +32383,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:21 GMT + - Thu, 06 Feb 2020 00:16:49 GMT expires: - '-1' pragma: @@ -30949,38 +32410,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Logic - Apps to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Logic Apps to stream to a regional Event Hub when - any Logic Apps which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event - Hub Authorization Rule Id","description":"The Event Hub authorization rule - Id for Azure Diagnostics. The authorization rule needs to be at Event Hub - namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource - group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization - rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"eventHubRuleId":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters(''eventHubRuleId'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"eventHubRuleId":{"value":"[parameters(''eventHubRuleId'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60","type":"Microsoft.Authorization/policyDefinitions","name":"a1dae6c7-13f3-48ea-a149-ff8442661f60"}' + string: '{"properties":{"displayName":"Web Application should only be accessible + over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of + HTTPS ensures server/service authentication and protects data in transit from + network layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"}' headers: cache-control: - no-cache content-length: - - '3721' + - '926' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:23 GMT + - Thu, 06 Feb 2020 00:16:49 GMT expires: - '-1' pragma: @@ -31011,15 +32462,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a1e8dda3-9fd2-4835-aec3-0e55531fde33'' could not be found."}}' + ''a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9'' could not be found."}}' headers: cache-control: - no-cache @@ -31028,7 +32479,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:24 GMT + - Thu, 06 Feb 2020 00:16:50 GMT expires: - '-1' pragma: @@ -31055,30 +32506,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''Administrative Templates - System''","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Administrative Templates - System''. For more information on Guest - Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33","type":"Microsoft.Authorization/policyDefinitions","name":"a1e8dda3-9fd2-4835-aec3-0e55531fde33"}' + string: '{"properties":{"displayName":"Auditing on SQL server should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired + Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"}' headers: cache-control: - no-cache content-length: - - '2665' + - '1175' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:25 GMT + - Thu, 06 Feb 2020 00:16:51 GMT expires: - '-1' pragma: @@ -31109,15 +32557,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a29ee95c-0395-4515-9851-cc04ffe82a91'' could not be found."}}' + ''a70ca396-0a34-413a-88e1-b956c1e683be'' could not be found."}}' headers: cache-control: - no-cache @@ -31126,7 +32574,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:27 GMT + - Thu, 06 Feb 2020 00:16:52 GMT expires: - '-1' pragma: @@ -31153,29 +32601,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Show audit results from Windows VMs that - are not joined to the specified domain","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines that are not joined to the specified domain. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDomainMembership","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91","type":"Microsoft.Authorization/policyDefinitions","name":"a29ee95c-0395-4515-9851-cc04ffe82a91"}' + string: '{"properties":{"displayName":"The Log Analytics agent should be installed + on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Windows/Linux virtual machines if the Log Analytics agent + is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"}' headers: cache-control: - no-cache content-length: - - '2728' + - '1366' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:28 GMT + - Thu, 06 Feb 2020 00:16:52 GMT expires: - '-1' pragma: @@ -31206,15 +32652,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a451c1ef-c6ca-483d-87ed-f49761e3ffb5'' could not be found."}}' + ''a7aca53f-2ed4-4466-a25e-0b45ade68efd'' could not be found."}}' headers: cache-control: - no-cache @@ -31223,7 +32669,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:30 GMT + - Thu, 06 Feb 2020 00:16:52 GMT expires: - '-1' pragma: @@ -31250,27 +32696,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Audit usage of custom RBAC rules","policyType":"BuiltIn","mode":"All","description":"Audit - built-in roles such as ''Owner, Contributer, Reader'' instead of custom RBAC - roles, which are error prone. Using custom roles is treated as an exception - and requires a rigorous review and threat modeling","metadata":{"category":"General"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Authorization/roleDefinitions"},{"field":"Microsoft.Authorization/roleDefinitions/type","equals":"CustomRole"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5","type":"Microsoft.Authorization/policyDefinitions","name":"a451c1ef-c6ca-483d-87ed-f49761e3ffb5"}' + string: '{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS + protection standard should be enabled for all virtual networks with a subnet + that is part of an application gateway with a public IP.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"}' headers: cache-control: - no-cache content-length: - - '975' + - '1071' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:30 GMT + - Thu, 06 Feb 2020 00:16:54 GMT expires: - '-1' pragma: @@ -31301,15 +32747,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a4af4a39-4135-47fb-b175-47fbdf85311d'' could not be found."}}' + ''a7ff3161-0087-490a-9ad9-ad6217f4f43a'' could not be found."}}' headers: cache-control: - no-cache @@ -31318,7 +32764,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:32 GMT + - Thu, 06 Feb 2020 00:16:54 GMT expires: - '-1' pragma: @@ -31345,27 +32791,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Web Application should only be accessible - over HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of - HTTPS ensures server/service authentication and protects data in transit from - network layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d","type":"Microsoft.Authorization/policyDefinitions","name":"a4af4a39-4135-47fb-b175-47fbdf85311d"}' + string: '{"properties":{"displayName":"Require encryption on Data Lake Store + accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy + ensures encryption is enabled on all Data Lake Store accounts","metadata":{"version":"1.0.0","category":"Data + Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"}' headers: cache-control: - no-cache content-length: - - '908' + - '672' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:33 GMT + - Thu, 06 Feb 2020 00:16:55 GMT expires: - '-1' pragma: @@ -31396,15 +32841,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9'' could not be found."}}' + ''a8bef009-a5c9-4d0f-90d7-6018734e8a16'' could not be found."}}' headers: cache-control: - no-cache @@ -31413,7 +32858,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:35 GMT + - Thu, 06 Feb 2020 00:16:56 GMT expires: - '-1' pragma: @@ -31440,30 +32885,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Auditing should be enabled on advanced - data security settings on SQL Server","policyType":"BuiltIn","mode":"Indexed","description":"Auditing - tracks database events and writes them to an audit log in the Azure storage - account. It also helps to maintain regulatory compliance, understand database - activity, and gain insight into discrepancies and anomalies that could indicate - business concerns or suspected security violations.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"setting":{"type":"String","metadata":{"displayName":"Desired - Auditing setting"},"allowedValues":["enabled","disabled"],"defaultValue":"enabled"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/auditingSettings","name":"default","existenceCondition":{"field":"Microsoft.Sql/auditingSettings.state","equals":"[parameters(''setting'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","type":"Microsoft.Authorization/policyDefinitions","name":"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"}' + string: '{"properties":{"displayName":"[Deprecated]: Monitor unencrypted SQL + databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted + SQL databases will be monitored by Azure Security Center as recommendations. + This policy is deprecated and replaced by the following policy: Transparent + Data Encryption on SQL databases should be enabled''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"}' headers: cache-control: - no-cache content-length: - - '1346' + - '1208' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:37 GMT + - Thu, 06 Feb 2020 00:16:56 GMT expires: - '-1' pragma: @@ -31494,15 +32938,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a70ca396-0a34-413a-88e1-b956c1e683be'' could not be found."}}' + ''a9a33475-481d-4b81-9116-0bf02ffe67e8'' could not be found."}}' headers: cache-control: - no-cache @@ -31511,7 +32955,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:39 GMT + - Thu, 06 Feb 2020 00:16:56 GMT expires: - '-1' pragma: @@ -31538,27 +32982,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"The Log Analytics agent should be installed - on virtual machines","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Windows/Linux virtual machines if the Log Analytics agent - is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachines/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be","type":"Microsoft.Authorization/policyDefinitions","name":"a70ca396-0a34-413a-88e1-b956c1e683be"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: ''System Audit Policies - Detailed Tracking''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"}' headers: cache-control: - no-cache content-length: - - '1348' + - '3271' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:40 GMT + - Thu, 06 Feb 2020 00:16:57 GMT expires: - '-1' pragma: @@ -31589,15 +33036,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a7aca53f-2ed4-4466-a25e-0b45ade68efd'' could not be found."}}' + ''a9b99dd8-06c5-4317-8629-9d86a3c6e7d9'' could not be found."}}' headers: cache-control: - no-cache @@ -31606,7 +33053,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:42 GMT + - Thu, 06 Feb 2020 00:16:58 GMT expires: - '-1' pragma: @@ -31633,27 +33080,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"DDoS Protection Standard should be enabled","policyType":"BuiltIn","mode":"All","description":"DDoS - protection standard should be enabled for all virtual networks with a subnet - that is part of an application gateway with a public IP.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"microsoft.network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableDDoSProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd","type":"Microsoft.Authorization/policyDefinitions","name":"a7aca53f-2ed4-4466-a25e-0b45ade68efd"}' + string: '{"properties":{"displayName":"Deploy network watcher when virtual networks + are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a network watcher resource in regions with virtual networks. You need + to ensure existence of a resource group named networkWatcherRG, which will + be used to deploy network watcher instances.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', + parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"}' headers: cache-control: - no-cache content-length: - - '1053' + - '1484' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:43 GMT + - Thu, 06 Feb 2020 00:16:58 GMT expires: - '-1' pragma: @@ -31684,15 +33132,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a7ff3161-0087-490a-9ad9-ad6217f4f43a'' could not be found."}}' + ''aa633080-8b72-40c4-a2d7-d00c03e80bed'' could not be found."}}' headers: cache-control: - no-cache @@ -31701,7 +33149,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:44 GMT + - Thu, 06 Feb 2020 00:17:00 GMT expires: - '-1' pragma: @@ -31728,26 +33176,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Require encryption on Data Lake Store - accounts","policyType":"BuiltIn","mode":"Indexed","description":"This policy - ensures encryption is enabled on all Data Lake Store accounts","metadata":{"category":"Data - Lake"},"parameters":{},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataLakeStore/accounts"},{"field":"Microsoft.DataLakeStore/accounts/encryptionState","equals":"Disabled"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a","type":"Microsoft.Authorization/policyDefinitions","name":"a7ff3161-0087-490a-9ad9-ad6217f4f43a"}' + string: '{"properties":{"displayName":"MFA should be enabled on accounts with + owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor + Authentication (MFA) should be enabled for all subscription accounts with + owner permissions to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"}' headers: cache-control: - no-cache content-length: - - '654' + - '1126' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:45 GMT + - Thu, 06 Feb 2020 00:17:00 GMT expires: - '-1' pragma: @@ -31778,15 +33228,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a8bef009-a5c9-4d0f-90d7-6018734e8a16'' could not be found."}}' + ''aa81768c-cb87-4ce2-bfaa-00baa10d760c'' could not be found."}}' headers: cache-control: - no-cache @@ -31795,7 +33245,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:47 GMT + - Thu, 06 Feb 2020 00:16:57 GMT expires: - '-1' pragma: @@ -31822,29 +33272,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated] Monitor unencrypted SQL - databases in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Unencrypted - SQL databases will be monitored by Azure Security Center as recommendations. - This policy is deprecated and replaced by the following policy: Transparent - Data Encryption on SQL databases should be enabled''","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"encryption","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16","type":"Microsoft.Authorization/policyDefinitions","name":"a8bef009-a5c9-4d0f-90d7-6018734e8a16"}' + string: '{"properties":{"displayName":"Ensure that Register with Azure Active + Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed + service identity in App Service makes the app more secure by eliminating secrets + from the app, such as credentials in the connection strings. When registering + with Azure Active Directory in the app service, the app will connect to other + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"}' headers: cache-control: - no-cache content-length: - - '1164' + - '1263' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:48 GMT + - Thu, 06 Feb 2020 00:16:58 GMT expires: - '-1' pragma: @@ -31875,15 +33326,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a9a33475-481d-4b81-9116-0bf02ffe67e8'' could not be found."}}' + ''ab965db2-d2bf-4b64-8b39-c38ec8179461'' could not be found."}}' headers: cache-control: - no-cache @@ -31892,7 +33343,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:50 GMT + - Thu, 06 Feb 2020 00:17:02 GMT expires: - '-1' pragma: @@ -31919,30 +33370,32 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''System Audit Policies - Detailed Tracking''","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''System Audit Policies - Detailed Tracking''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesDetailedTracking","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8","type":"Microsoft.Authorization/policyDefinitions","name":"a9a33475-481d-4b81-9116-0bf02ffe67e8"}' + string: '{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, + if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + newer versions are released for PHP software either due to security flaws + or to include additional functionality. Using the latest PHP version for Function + apps is recommended in order to to take advantage of security fixes, if any, + and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest + PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', + parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"}' headers: cache-control: - no-cache content-length: - - '2687' + - '1892' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:51 GMT + - Thu, 06 Feb 2020 00:17:02 GMT expires: - '-1' pragma: @@ -31973,15 +33426,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''a9b99dd8-06c5-4317-8629-9d86a3c6e7d9'' could not be found."}}' + ''abcc6037-1fc4-47f6-aac5-89706589be24'' could not be found."}}' headers: cache-control: - no-cache @@ -31990,7 +33443,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:53 GMT + - Thu, 06 Feb 2020 00:17:04 GMT expires: - '-1' pragma: @@ -32017,28 +33470,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy network watcher when virtual networks - are created","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a network watcher resource in regions with virtual networks. You need - to ensure existence of a resource group named networkWatcherRG, which will - be used to deploy network watcher instances.","metadata":{"category":"Network"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"DeployIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"networkWatcherRG","existenceCondition":{"field":"location","equals":"[field(''location'')]"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"}},"resources":[{"apiVersion":"2016-09-01","type":"Microsoft.Network/networkWatchers","name":"[concat(''networkWatcher_'', - parameters(''location''))]","location":"[parameters(''location'')]"}]},"parameters":{"location":{"value":"[field(''location'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9","type":"Microsoft.Authorization/policyDefinitions","name":"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"}' + string: '{"properties":{"displayName":"[Deprecated]: Automatic provisioning + of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs + security agent on VMs for advanced security alerts and preventions in Azure + Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"}' headers: cache-control: - no-cache content-length: - - '1466' + - '971' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:54 GMT + - Thu, 06 Feb 2020 00:17:04 GMT expires: - '-1' pragma: @@ -32069,15 +33521,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''aa633080-8b72-40c4-a2d7-d00c03e80bed'' could not be found."}}' + ''abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9'' could not be found."}}' headers: cache-control: - no-cache @@ -32086,7 +33538,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:55 GMT + - Thu, 06 Feb 2020 00:17:05 GMT expires: - '-1' pragma: @@ -32113,28 +33565,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"MFA should be enabled on accounts with - owner permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor - Authentication (MFA) should be enabled for all subscription accounts with - owner permissions to prevent a breach of accounts or resources.","metadata":{"category":"Security - Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed","type":"Microsoft.Authorization/policyDefinitions","name":"aa633080-8b72-40c4-a2d7-d00c03e80bed"}' + string: '{"properties":{"displayName":"Advanced data security should be enabled + on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL servers without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"}' headers: cache-control: - no-cache content-length: - - '1108' + - '959' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:56 GMT + - Thu, 06 Feb 2020 00:17:05 GMT expires: - '-1' pragma: @@ -32165,15 +33615,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''aa81768c-cb87-4ce2-bfaa-00baa10d760c'' could not be found."}}' + ''abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9'' could not be found."}}' headers: cache-control: - no-cache @@ -32182,7 +33632,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:58 GMT + - Thu, 06 Feb 2020 00:17:06 GMT expires: - '-1' pragma: @@ -32209,30 +33659,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Ensure that Register with Azure Active - Directory is enabled on WEB App","policyType":"BuiltIn","mode":"Indexed","description":"Managed - service identity in App Service makes the app more secure by eliminating secrets - from the app, such as credentials in the connection strings. When registering - with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App - Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c","type":"Microsoft.Authorization/policyDefinitions","name":"aa81768c-cb87-4ce2-bfaa-00baa10d760c"}' + string: '{"properties":{"displayName":"Advanced data security should be enabled + on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit + SQL managed instances without Advanced Data Security","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"}' headers: cache-control: - no-cache content-length: - - '1245' + - '1006' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:11:59 GMT + - Thu, 06 Feb 2020 00:17:06 GMT expires: - '-1' pragma: @@ -32263,15 +33709,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''ab965db2-d2bf-4b64-8b39-c38ec8179461'' could not be found."}}' + ''ac076320-ddcf-4066-b451-6154267e8ad2'' could not be found."}}' headers: cache-control: - no-cache @@ -32280,7 +33726,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:01 GMT + - Thu, 06 Feb 2020 00:17:07 GMT expires: - '-1' pragma: @@ -32307,32 +33753,31 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Ensure that ''PHP version'' is the latest, - if used as a part of the Function app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, - newer versions are released for PHP software either due to security flaws - or to include additional functionality. Using the latest PHP version for Function - apps is recommended in order to to take advantage of security fixes, if any, - and/or new functionalities of the latest version.","metadata":{"category":"App - Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"PHPLatestVersion":{"type":"String","metadata":{"displayName":"Latest - PHP version","description":"Latest supported PHP version for App Services"},"defaultValue":"7.3"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","notContains":"PHP"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":"[concat(''PHP|'', - parameters(''PHPLatestVersion''))]"},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":""}]},{"allOf":[{"field":"Microsoft.Web/sites/config/web.linuxFxVersion","equals":""},{"field":"Microsoft.Web/sites/config/web.phpVersion","equals":"[parameters(''PHPLatestVersion'')]"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461","type":"Microsoft.Authorization/policyDefinitions","name":"ab965db2-d2bf-4b64-8b39-c38ec8179461"}' + string: '{"properties":{"displayName":"Enable Azure Security Center on your + subscription","policyType":"BuiltIn","mode":"All","description":"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\nRepeat this + step when you have one or more new subscriptions you want to monitor with + Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/pricings","name":"VirtualMachines","deploymentScope":"subscription","existenceScope":"subscription","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"existenceCondition":{"anyof":[{"field":"microsoft.security/pricings/pricingTier","equals":"standard"},{"field":"microsoft.security/pricings/pricingTier","equals":"free"}]},"deployment":{"location":"westeurope","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","variables":{},"resources":[{"type":"Microsoft.Security/pricings","apiVersion":"2018-06-01","name":"VirtualMachines","properties":{"pricingTier":"free"}}],"outputs":{}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2","type":"Microsoft.Authorization/policyDefinitions","name":"ac076320-ddcf-4066-b451-6154267e8ad2"}' headers: cache-control: - no-cache content-length: - - '1874' + - '1842' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:02 GMT + - Thu, 06 Feb 2020 00:17:07 GMT expires: - '-1' pragma: @@ -32363,15 +33808,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''abcc6037-1fc4-47f6-aac5-89706589be24'' could not be found."}}' + ''ac4a19c2-fa67-49b4-8ae5-0b2e78c49457'' could not be found."}}' headers: cache-control: - no-cache @@ -32380,7 +33825,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:03 GMT + - Thu, 06 Feb 2020 00:17:05 GMT expires: - '-1' pragma: @@ -32407,27 +33852,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Automatic provisioning - of security monitoring agent","policyType":"BuiltIn","mode":"All","description":"Installs - security agent on VMs for advanced security alerts and preventions in Azure - Security Center. Applies only for subscriptions that use Azure Security Center.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"AuditIfNotExists","details":{"type":"Microsoft.Security/complianceResults","name":"securityAgent","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24","type":"Microsoft.Authorization/policyDefinitions","name":"abcc6037-1fc4-47f6-aac5-89706589be24"}' + string: '{"properties":{"displayName":"[Preview]: Role-Based Access Control + (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To + provide granular filtering on the actions that users can perform, use Role-Based + Access Control (RBAC) to manage permissions in Kubernetes Service Clusters + and configure relevant authorization policies.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"}' headers: cache-control: - no-cache content-length: - - '942' + - '1184' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:04 GMT + - Thu, 06 Feb 2020 00:17:05 GMT expires: - '-1' pragma: @@ -32458,15 +33905,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9'' could not be found."}}' + ''ac7e5fc0-c029-4b12-91d4-a8500ce697f9'' could not be found."}}' headers: cache-control: - no-cache @@ -32475,7 +33922,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:06 GMT + - Thu, 06 Feb 2020 00:17:10 GMT expires: - '-1' pragma: @@ -32502,26 +33949,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Advanced data security should be enabled - on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL servers without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"}' + string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation + if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation if the ''environment'' tag is set to one of the following + values: production, dev, test, staging","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"}' headers: cache-control: - no-cache content-length: - - '941' + - '707' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:07 GMT + - Thu, 06 Feb 2020 00:17:10 GMT expires: - '-1' pragma: @@ -32552,15 +33999,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9'' could not be found."}}' + ''ae5d2f14-d830-42b6-9899-df6cfe9c71a3'' could not be found."}}' headers: cache-control: - no-cache @@ -32569,7 +34016,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:08 GMT + - Thu, 06 Feb 2020 00:17:11 GMT expires: - '-1' pragma: @@ -32596,26 +34043,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Advanced data security should be enabled - on your SQL managed instances","policyType":"BuiltIn","mode":"Indexed","description":"Audit - SQL managed instances without Advanced Data Security","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"Default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/state","equals":"Enabled"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","type":"Microsoft.Authorization/policyDefinitions","name":"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"}' + string: '{"properties":{"displayName":"SQL Server should use a virtual network + service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any SQL Server not configured to use a virtual network service + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"}' headers: cache-control: - no-cache content-length: - - '988' + - '995' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:09 GMT + - Thu, 06 Feb 2020 00:17:11 GMT expires: - '-1' pragma: @@ -32646,15 +34094,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''ac4a19c2-fa67-49b4-8ae5-0b2e78c49457'' could not be found."}}' + ''aeb23562-188d-47cb-80b8-551f16ef9fff'' could not be found."}}' headers: cache-control: - no-cache @@ -32663,7 +34111,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:10 GMT + - Thu, 06 Feb 2020 00:17:12 GMT expires: - '-1' pragma: @@ -32690,29 +34138,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Role-Based Access Control - (RBAC) should be used on Kubernetes Services","policyType":"BuiltIn","mode":"All","description":"To - provide granular filtering on the actions that users can perform, use Role-Based - Access Control (RBAC) to manage permissions in Kubernetes Service Clusters - and configure relevant authorization policies.","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","exists":"false"},{"field":"Microsoft.ContainerService/managedClusters/enableRBAC","equals":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","type":"Microsoft.Authorization/policyDefinitions","name":"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"}' + string: '{"properties":{"displayName":"Email notifications to admins and subscription + owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit + that ''email notification to admins and subscription owners'' is enabled in + the SQL managed instance advanced threat protection settings. This ensures + that any detections of anomalous activities on SQL managed instance are reported + as soon as possible to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"}' headers: cache-control: - no-cache content-length: - - '1147' + - '1285' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:11 GMT + - Thu, 06 Feb 2020 00:17:12 GMT expires: - '-1' pragma: @@ -32743,15 +34191,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''ac7e5fc0-c029-4b12-91d4-a8500ce697f9'' could not be found."}}' + ''af6cd1bd-1635-48cb-bde7-5b15693900b9'' could not be found."}}' headers: cache-control: - no-cache @@ -32760,7 +34208,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:13 GMT + - Thu, 06 Feb 2020 00:17:13 GMT expires: - '-1' pragma: @@ -32787,26 +34235,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation - if ''environment'' tag value in allowed values","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation if the ''environment'' tag is set to one of the following - values: production, dev, test, staging","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags[''environment'']","in":["production","dev","test","staging"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9","type":"Microsoft.Authorization/policyDefinitions","name":"ac7e5fc0-c029-4b12-91d4-a8500ce697f9"}' + string: '{"properties":{"displayName":"Monitor missing Endpoint Protection in + Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers + without an installed Endpoint Protection agent will be monitored by Azure + Security Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"}' headers: cache-control: - no-cache content-length: - - '678' + - '1106' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:14 GMT + - Thu, 06 Feb 2020 00:17:14 GMT expires: - '-1' pragma: @@ -32837,15 +34287,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''ae5d2f14-d830-42b6-9899-df6cfe9c71a3'' could not be found."}}' + ''af8051bf-258b-44e2-a2bf-165330459f9d'' could not be found."}}' headers: cache-control: - no-cache @@ -32854,7 +34304,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:16 GMT + - Thu, 06 Feb 2020 00:17:14 GMT expires: - '-1' pragma: @@ -32881,27 +34331,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"SQL Server should use a virtual network - service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any SQL Server not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/virtualNetworkRules","existenceCondition":{"field":"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3","type":"Microsoft.Authorization/policyDefinitions","name":"ae5d2f14-d830-42b6-9899-df6cfe9c71a3"}' + string: '{"properties":{"displayName":"[Deprecated]: Monitor unaudited SQL servers + in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL + servers which don''t have SQL auditing turned on will be monitored by Azure + Security Center as recommendations. This policy is deprecated and replaced + by the following policy: ''Auditing should be enabled on advanced data security + settings on SQL Server''","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"}' headers: cache-control: - no-cache content-length: - - '977' + - '1232' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:16 GMT + - Thu, 06 Feb 2020 00:17:15 GMT expires: - '-1' pragma: @@ -32932,15 +34385,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''aeb23562-188d-47cb-80b8-551f16ef9fff'' could not be found."}}' + ''b02aacc0-b073-424e-8298-42b22829ee0a'' could not be found."}}' headers: cache-control: - no-cache @@ -32949,7 +34402,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:18 GMT + - Thu, 06 Feb 2020 00:17:16 GMT expires: - '-1' pragma: @@ -32976,29 +34429,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Email notifications to admins and subscription - owners should be enabled in SQL managed instance advanced data security settings","policyType":"BuiltIn","mode":"Indexed","description":"Audit - that ''email notification to admins and subscription owners'' is enabled in - the SQL managed instance advanced threat protection settings. This ensures - that any detections of anomalous activities on SQL managed instance are reported - as soon as possible to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff","type":"Microsoft.Authorization/policyDefinitions","name":"aeb23562-188d-47cb-80b8-551f16ef9fff"}' + string: '{"properties":{"displayName":"Activity log should be retained for at + least one year","policyType":"BuiltIn","mode":"All","description":"This policy + audits the activity log if the retention is not set for 365 days or forever + (retention days set to 0).","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"}' headers: cache-control: - no-cache content-length: - - '1267' + - '1281' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:19 GMT + - Thu, 06 Feb 2020 00:17:16 GMT expires: - '-1' pragma: @@ -33029,15 +34480,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''af6cd1bd-1635-48cb-bde7-5b15693900b9'' could not be found."}}' + ''b0f33259-77d7-4c9e-aac6-3aabcfae693c'' could not be found."}}' headers: cache-control: - no-cache @@ -33046,7 +34497,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:20 GMT + - Thu, 06 Feb 2020 00:17:17 GMT expires: - '-1' pragma: @@ -33073,27 +34524,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Monitor missing Endpoint Protection in - Azure Security Center","policyType":"BuiltIn","mode":"All","description":"Servers - without an installed Endpoint Protection agent will be monitored by Azure - Security Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"endpointProtection","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9","type":"Microsoft.Authorization/policyDefinitions","name":"af6cd1bd-1635-48cb-bde7-5b15693900b9"}' + string: '{"properties":{"displayName":"Just-In-Time network access control should + be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible + network Just In Time (JIT) access will be monitored by Azure Security Center + as recommendations","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"}' headers: cache-control: - no-cache content-length: - - '1088' + - '1064' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:21 GMT + - Thu, 06 Feb 2020 00:17:17 GMT expires: - '-1' pragma: @@ -33124,15 +34575,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''af8051bf-258b-44e2-a2bf-165330459f9d'' could not be found."}}' + ''b18175dd-c599-4c64-83ba-bb018a06d35b'' could not be found."}}' headers: cache-control: - no-cache @@ -33141,7 +34592,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:23 GMT + - Thu, 06 Feb 2020 00:17:19 GMT expires: - '-1' pragma: @@ -33168,29 +34619,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated] Monitor unaudited SQL servers - in Azure Security Center","policyType":"BuiltIn","mode":"All","description":"SQL - servers which don''t have SQL auditing turned on will be monitored by Azure - Security Center as recommendations. This policy is deprecated and replaced - by the following policy: ''Auditing should be enabled on advanced data security - settings on SQL Server''","metadata":{"category":"Security Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.SQL/servers"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"auditing","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d","type":"Microsoft.Authorization/policyDefinitions","name":"af8051bf-258b-44e2-a2bf-165330459f9d"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux + VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that do not have the passwd file permissions + set to 0644. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"}' headers: cache-control: - no-cache content-length: - - '1188' + - '3675' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:23 GMT + - Thu, 06 Feb 2020 00:17:19 GMT expires: - '-1' pragma: @@ -33221,15 +34673,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b02aacc0-b073-424e-8298-42b22829ee0a'' could not be found."}}' + ''b278e460-7cfc-4451-8294-cccc40a940d7'' could not be found."}}' headers: cache-control: - no-cache @@ -33238,7 +34690,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:25 GMT + - Thu, 06 Feb 2020 00:17:20 GMT expires: - '-1' pragma: @@ -33265,27 +34717,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Activity log should be retained for at - least one year","policyType":"BuiltIn","mode":"All","description":"This policy - audits the activity log if the retention is not set for 365 days or forever - (retention days set to 0).","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/logProfiles","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"true"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"365"}]},{"allOf":[{"field":"Microsoft.Insights/logProfiles/retentionPolicy.enabled","equals":"false"},{"field":"Microsoft.Insights/logProfiles/retentionPolicy.days","equals":"0"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a","type":"Microsoft.Authorization/policyDefinitions","name":"b02aacc0-b073-424e-8298-42b22829ee0a"}' + string: '{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey + should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event + Hub clients should not use a namespace level access policy that provides access + to all queues and topics in a namespace. To align with the least privilege + security model, you shoud create access policies at the entity level for queues + and topics to provide access to only the specific entity","metadata":{"version":"1.0.1","category":"Event + Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"}' headers: cache-control: - no-cache content-length: - - '1263' + - '1178' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:26 GMT + - Thu, 06 Feb 2020 00:17:20 GMT expires: - '-1' pragma: @@ -33316,15 +34771,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b0f33259-77d7-4c9e-aac6-3aabcfae693c'' could not be found."}}' + ''b2fc8f91-866d-4434-9089-5ebfe38d6fd8'' could not be found."}}' headers: cache-control: - no-cache @@ -33333,7 +34788,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:28 GMT + - Thu, 06 Feb 2020 00:17:22 GMT expires: - '-1' pragma: @@ -33360,27 +34815,41 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Just-In-Time network access control should - be applied on virtual machines","policyType":"BuiltIn","mode":"All","description":"Possible - network Just In Time (JIT) access will be monitored by Azure Security Center - as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"jitNetworkAccess","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c","type":"Microsoft.Authorization/policyDefinitions","name":"b0f33259-77d7-4c9e-aac6-3aabcfae693c"}' + string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows + web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows web servers + that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It + also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum + TLS version","description":"The minimum TLS protocol version that should be + enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', + ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"}' headers: cache-control: - no-cache content-length: - - '1046' + - '6710' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:29 GMT + - Thu, 06 Feb 2020 00:17:22 GMT expires: - '-1' pragma: @@ -33411,15 +34880,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b18175dd-c599-4c64-83ba-bb018a06d35b'' could not be found."}}' + ''b3802d79-dd88-4bce-b81d-780218e48280'' could not be found."}}' headers: cache-control: - no-cache @@ -33428,7 +34897,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:30 GMT + - Thu, 06 Feb 2020 00:17:22 GMT expires: - '-1' pragma: @@ -33455,29 +34924,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux - VMs that do not have the passwd file permissions set to 0644","policyType":"BuiltIn","mode":"All","description":"This + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of - auditing Linux virtual machines that do not have the passwd file permissions - set to 0644. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b","type":"Microsoft.Authorization/policyDefinitions","name":"b18175dd-c599-4c64-83ba-bb018a06d35b"}' + auditing Windows virtual machines with non-compliant settings in Group Policy + category: ''System Audit Policies - Logon-Logoff''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"}' headers: cache-control: - no-cache content-length: - - '3204' + - '3256' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:31 GMT + - Thu, 06 Feb 2020 00:17:22 GMT expires: - '-1' pragma: @@ -33508,15 +34978,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b278e460-7cfc-4451-8294-cccc40a940d7'' could not be found."}}' + ''b4330a05-a843-4bc8-bf9a-cacce50c67f4'' could not be found."}}' headers: cache-control: - no-cache @@ -33525,7 +34995,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:33 GMT + - Thu, 06 Feb 2020 00:17:24 GMT expires: - '-1' pragma: @@ -33552,30 +35022,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"All authorization rules except RootManageSharedAccessKey - should be removed from Event Hub namespace","policyType":"BuiltIn","mode":"All","description":"Event - Hub clients should not use a namespace level access policy that provides access - to all queues and topics in a namespace. To align with the least privilege - security model, you shoud create access policies at the entity level for queues - and topics to provide access to only the specific entity","metadata":{"category":"Event - Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.EventHub/namespaces/authorizationRules"},{"field":"name","notEquals":"RootManageSharedAccessKey"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7","type":"Microsoft.Authorization/policyDefinitions","name":"b278e460-7cfc-4451-8294-cccc40a940d7"}' + string: '{"properties":{"displayName":"Diagnostic logs in Search services should + be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling + of diagnostic logs. This enables you to recreate activity trails to use for + investigation purposes; when a security incident occurs or when your network + is compromised","metadata":{"version":"2.0.0","category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required + retention (days)","description":"The required diagnostic logs retention in + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"}' headers: cache-control: - no-cache content-length: - - '1160' + - '1901' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:34 GMT + - Thu, 06 Feb 2020 00:17:24 GMT expires: - '-1' pragma: @@ -33606,15 +35076,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b2fc8f91-866d-4434-9089-5ebfe38d6fd8'' could not be found."}}' + ''b48334a4-911b-4084-b1ab-3e6a4e50b951'' could not be found."}}' headers: cache-control: - no-cache @@ -33623,7 +35093,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:36 GMT + - Thu, 06 Feb 2020 00:17:25 GMT expires: - '-1' pragma: @@ -33650,41 +35120,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - web servers that are not using secure communication protocols","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows web servers - that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MinimumTLSVersion":{"type":"String","metadata":{"displayName":"Minimum - TLS version","description":"The minimum TLS protocol version that should be - enabled. Windows web servers with lower TLS versions will be marked as non-compliant."},"allowedValues":["1.1","1.2"],"defaultValue":"1.1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AuditSecureProtocol","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"anyOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[SecureWebServer]s1;MinimumTLSVersion'', - ''='', parameters(''MinimumTLSVersion'')))]"},{"allOf":[{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":""},{"value":"[parameters(''MinimumTLSVersion'')]","equals":"1.1"}]}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AuditSecureProtocol"},"MinimumTLSVersion":{"value":"[parameters(''MinimumTLSVersion'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MinimumTLSVersion":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[SecureWebServer]s1;MinimumTLSVersion","value":"[parameters(''MinimumTLSVersion'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8","type":"Microsoft.Authorization/policyDefinitions","name":"b2fc8f91-866d-4434-9089-5ebfe38d6fd8"}' + string: '{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state + for an API App","policyType":"BuiltIn","mode":"All","description":"The Web + Sockets protocol is vulnerable to different types of security threats. Use + of Web Sockets within an API app must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"}' headers: cache-control: - no-cache content-length: - - '6299' + - '1203' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:37 GMT + - Thu, 06 Feb 2020 00:17:25 GMT expires: - '-1' pragma: @@ -33715,15 +35172,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b3802d79-dd88-4bce-b81d-780218e48280'' could not be found."}}' + ''b4d66858-c922-44e3-9566-5cdb7a7be744'' could not be found."}}' headers: cache-control: - no-cache @@ -33732,7 +35189,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:38 GMT + - Thu, 06 Feb 2020 00:17:26 GMT expires: - '-1' pragma: @@ -33759,30 +35216,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''System Audit Policies - Logon-Logoff''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280","type":"Microsoft.Authorization/policyDefinitions","name":"b3802d79-dd88-4bce-b81d-780218e48280"}' + string: '{"properties":{"displayName":"A security contact phone number should + be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter + a phone number to receive notifications when Azure Security Center detects + compromised resources","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"}' headers: cache-control: - no-cache content-length: - - '2672' + - '1008' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:39 GMT + - Thu, 06 Feb 2020 00:17:26 GMT expires: - '-1' pragma: @@ -33813,15 +35268,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b4330a05-a843-4bc8-bf9a-cacce50c67f4'' could not be found."}}' + ''b54ed75b-3e1a-44ac-a333-05ba39b99ff0'' could not be found."}}' headers: cache-control: - no-cache @@ -33830,7 +35285,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:42 GMT + - Thu, 06 Feb 2020 00:17:27 GMT expires: - '-1' pragma: @@ -33857,30 +35312,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Diagnostic logs in Search services should - be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling - of diagnostic logs. This enables you to recreate activity trails to use for - investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Search"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required - retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Search/searchServices"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4","type":"Microsoft.Authorization/policyDefinitions","name":"b4330a05-a843-4bc8-bf9a-cacce50c67f4"}' + string: '{"properties":{"displayName":"Service Fabric clusters should only use + Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit + usage of client authentication only via Azure Active Directory in Service + Fabric","metadata":{"version":"1.0.0","category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"}' headers: cache-control: - no-cache content-length: - - '1787' + - '1044' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:43 GMT + - Thu, 06 Feb 2020 00:17:27 GMT expires: - '-1' pragma: @@ -33911,15 +35363,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b48334a4-911b-4084-b1ab-3e6a4e50b951'' could not be found."}}' + ''b5f04e03-92a3-4b09-9410-2cc5e5047656'' could not be found."}}' headers: cache-control: - no-cache @@ -33928,7 +35380,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:44 GMT + - Thu, 06 Feb 2020 00:17:28 GMT expires: - '-1' pragma: @@ -33955,28 +35407,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state - for an API App","policyType":"BuiltIn","mode":"All","description":"The Web - Sockets protocol is vulnerable to different types of security threats. Use - of Web Sockets within an API app must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951","type":"Microsoft.Authorization/policyDefinitions","name":"b48334a4-911b-4084-b1ab-3e6a4e50b951"}' + string: '{"properties":{"displayName":"Deploy Advanced Threat Protection for + Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"version":"1.0.0","category":"Cosmos + DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), + ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"}' headers: cache-control: - no-cache content-length: - - '1175' + - '1683' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:45 GMT + - Thu, 06 Feb 2020 00:17:28 GMT expires: - '-1' pragma: @@ -34007,15 +35459,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b4d66858-c922-44e3-9566-5cdb7a7be744'' could not be found."}}' + ''b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0'' could not be found."}}' headers: cache-control: - no-cache @@ -34024,7 +35476,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:47 GMT + - Thu, 06 Feb 2020 00:17:30 GMT expires: - '-1' pragma: @@ -34051,27 +35503,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"A security contact phone number should - be provided for your subscription","policyType":"BuiltIn","mode":"All","description":"Enter - a phone number to receive notifications when Azure Security Center detects - compromised resources","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/securityContacts","existenceCondition":{"field":"Microsoft.Security/securityContacts/phone","notEquals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744","type":"Microsoft.Authorization/policyDefinitions","name":"b4d66858-c922-44e3-9566-5cdb7a7be744"}' + string: '{"properties":{"displayName":"Diagnostic logs in App Services should + be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling + of diagnostic logs on the app. This enables you to recreate activity trails + for investigation purposes if a security incident occurs or your network is + compromised","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"}' headers: cache-control: - no-cache content-length: - - '990' + - '1268' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:48 GMT + - Thu, 06 Feb 2020 00:17:30 GMT expires: - '-1' pragma: @@ -34102,15 +35555,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b54ed75b-3e1a-44ac-a333-05ba39b99ff0'' could not be found."}}' + ''b6e2945c-0b7b-40f5-9233-7a5323b5cdc6'' could not be found."}}' headers: cache-control: - no-cache @@ -34119,7 +35572,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:49 GMT + - Thu, 06 Feb 2020 00:17:31 GMT expires: - '-1' pragma: @@ -34146,27 +35599,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Service Fabric clusters should only use - Azure Active Directory for client authentication","policyType":"BuiltIn","mode":"Indexed","description":"Audit - usage of client authentication only via Azure Active Directory in Service - Fabric","metadata":{"category":"Service Fabric"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ServiceFabric/clusters"},{"anyOf":[{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","exists":"false"},{"field":"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId","equals":""}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0","type":"Microsoft.Authorization/policyDefinitions","name":"b54ed75b-3e1a-44ac-a333-05ba39b99ff0"}' + string: '{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network + Watcher is a regional service that enables you to monitor and diagnose conditions + at a network scenario level in, to, and from Azure. Scenario level monitoring + enables you to diagnose problems at an end to end network level view. Network + diagnostic and visualization tools available with Network Watcher help you + understand, diagnose, and gain insights to your network in Azure.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit + if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"}' headers: cache-control: - no-cache content-length: - - '1026' + - '1229' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:50 GMT + - Thu, 06 Feb 2020 00:17:31 GMT expires: - '-1' pragma: @@ -34197,15 +35652,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b5f04e03-92a3-4b09-9410-2cc5e5047656'' could not be found."}}' + ''b7ddfbdc-1260-477d-91fd-98bd9be789a6'' could not be found."}}' headers: cache-control: - no-cache @@ -34214,7 +35669,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:53 GMT + - Thu, 06 Feb 2020 00:17:31 GMT expires: - '-1' pragma: @@ -34241,28 +35696,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy Advanced Threat Protection for - Cosmos DB Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy enables Advanced Threat Protection across Cosmos DB accounts.","metadata":{"category":"Cosmos - DB"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/advancedThreatProtectionSettings","name":"current","existenceCondition":{"field":"Microsoft.Security/advancedThreatProtectionSettings/isEnabled","equals":"true"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"cosmosDbAccountName":{"type":"string"}},"resources":[{"apiVersion":"2019-01-01","type":"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings","name":"[concat(parameters(''cosmosDbAccountName''), - ''/Microsoft.Security/current'')]","properties":{"isEnabled":true}}]},"parameters":{"cosmosDbAccountName":{"value":"[field(''name'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656","type":"Microsoft.Authorization/policyDefinitions","name":"b5f04e03-92a3-4b09-9410-2cc5e5047656"}' + string: '{"properties":{"displayName":"API App should only be accessible over + HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS + ensures server/service authentication and protects data in transit from network + layer eavesdropping attacks.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"}' headers: cache-control: - no-cache content-length: - - '1665' + - '918' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:54 GMT + - Thu, 06 Feb 2020 00:17:31 GMT expires: - '-1' pragma: @@ -34293,15 +35748,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0'' could not be found."}}' + ''b821191b-3a12-44bc-9c38-212138a29ff3'' could not be found."}}' headers: cache-control: - no-cache @@ -34310,7 +35765,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:56 GMT + - Thu, 06 Feb 2020 00:17:32 GMT expires: - '-1' pragma: @@ -34337,28 +35792,42 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Diagnostic logs in App Services should - be enabled","policyType":"BuiltIn","mode":"All","description":"Audit enabling - of diagnostic logs on the app. This enables you to recreate activity trails - for investigation purposes if a security incident occurs or your network is - compromised","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","notContains":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"allOf":[{"field":"Microsoft.Web/sites/config/detailedErrorLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/httpLoggingEnabled","equals":"true"},{"field":"Microsoft.Web/sites/config/requestTracingEnabled","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0","type":"Microsoft.Authorization/policyDefinitions","name":"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"}' + string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows + VMs in which the Administrators group does not contain only the specified + members","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + in which the Administrators group does not contain only the specified members. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', + ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"}' headers: cache-control: - no-cache content-length: - - '1250' + - '6439' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:57 GMT + - Thu, 06 Feb 2020 00:17:33 GMT expires: - '-1' pragma: @@ -34389,15 +35858,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b6e2945c-0b7b-40f5-9233-7a5323b5cdc6'' could not be found."}}' + ''b872a447-cc6f-43b9-bccf-45703cd81607'' could not be found."}}' headers: cache-control: - no-cache @@ -34406,7 +35875,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:12:59 GMT + - Thu, 06 Feb 2020 00:17:34 GMT expires: - '-1' pragma: @@ -34433,29 +35902,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Network Watcher should be enabled","policyType":"BuiltIn","mode":"All","description":"Network - Watcher is a regional service that enables you to monitor and diagnose conditions - at a network scenario level in, to, and from Azure. Scenario level monitoring - enables you to diagnose problems at an end to end network level view. Network - diagnostic and visualization tools available with Network Watcher help you - understand, diagnose, and gain insights to your network in Azure.","metadata":{"category":"Network"},"parameters":{"listOfLocations":{"type":"Array","metadata":{"displayName":"Locations","description":"Audit - if Network Watcher is not enabled for region(s).","strongType":"location"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.Network/networkWatchers","resourceGroupName":"NetworkWatcherRG","existenceCondition":{"field":"location","in":"[parameters(''listOfLocations'')]"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","type":"Microsoft.Authorization/policyDefinitions","name":"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"}' + string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows + VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: ''Security Options - Accounts''. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"}' headers: cache-control: - no-cache content-length: - - '1211' + - '3231' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:00 GMT + - Thu, 06 Feb 2020 00:17:34 GMT expires: - '-1' pragma: @@ -34486,15 +35956,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b7ddfbdc-1260-477d-91fd-98bd9be789a6'' could not be found."}}' + ''b889a06c-ec72-4b03-910a-cb169ee18721'' could not be found."}}' headers: cache-control: - no-cache @@ -34503,7 +35973,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:02 GMT + - Thu, 06 Feb 2020 00:17:36 GMT expires: - '-1' pragma: @@ -34530,27 +36000,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"API App should only be accessible over - HTTPS","policyType":"BuiltIn","mode":"Indexed","description":"Use of HTTPS - ensures server/service authentication and protects data in transit from network - layer eavesdropping attacks.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"},{"field":"Microsoft.Web/sites/httpsOnly","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6","type":"Microsoft.Authorization/policyDefinitions","name":"b7ddfbdc-1260-477d-91fd-98bd9be789a6"}' + string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Logic + Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys + the diagnostic settings for Logic Apps to stream to a regional Log Analytics + workspace when any Logic Apps which is missing this diagnostic settings is + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"}' headers: cache-control: - no-cache content-length: - - '900' + - '3724' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:03 GMT + - Thu, 06 Feb 2020 00:17:36 GMT expires: - '-1' pragma: @@ -34581,15 +36062,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b821191b-3a12-44bc-9c38-212138a29ff3'' could not be found."}}' + ''b954148f-4c11-4c38-8221-be76711e194a'' could not be found."}}' headers: cache-control: - no-cache @@ -34598,7 +36079,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:05 GMT + - Thu, 06 Feb 2020 00:17:37 GMT expires: - '-1' pragma: @@ -34625,42 +36106,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - VMs in which the Administrators group does not contain only the specified - members","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows virtual machines - in which the Administrators group does not contain only the specified members. - It also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"Members":{"type":"String","metadata":{"displayName":"Members","description":"A - semicolon-separated list of all the expected members of the Administrators - local group. Ex: Administrator; myUser1; myUser2"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[LocalGroup]AdministratorsGroup;Members'', - ''='', parameters(''Members'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AdministratorsGroupMembers"},"Members":{"value":"[parameters(''Members'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"Members":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[LocalGroup]AdministratorsGroup;Members","value":"[parameters(''Members'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3","type":"Microsoft.Authorization/policyDefinitions","name":"b821191b-3a12-44bc-9c38-212138a29ff3"}' + string: '{"properties":{"displayName":"An activity log alert should exist for + specific Administrative operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Administrative operations with no activity log alerts + configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Administrative Operation name for which activity log + alert should be configured"},"allowedValues":["Microsoft.Sql/servers/firewallRules/write","Microsoft.Sql/servers/firewallRules/delete","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/delete","Microsoft.ClassicNetwork/networkSecurityGroups/write","Microsoft.ClassicNetwork/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/securityRules/write","Microsoft.Network/networkSecurityGroups/securityRules/delete","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write","Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Administrative"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a","type":"Microsoft.Authorization/policyDefinitions","name":"b954148f-4c11-4c38-8221-be76711e194a"}' headers: cache-control: - no-cache content-length: - - '6028' + - '2529' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:06 GMT + - Thu, 06 Feb 2020 00:17:37 GMT expires: - '-1' pragma: @@ -34691,15 +36159,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b872a447-cc6f-43b9-bccf-45703cd81607'' could not be found."}}' + ''ba12366f-f9a6-42b8-9d98-157d0b1a837b'' could not be found."}}' headers: cache-control: - no-cache @@ -34708,7 +36176,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:08 GMT + - Thu, 06 Feb 2020 00:17:38 GMT expires: - '-1' pragma: @@ -34735,30 +36203,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b?api-version=2019-09-01 response: body: string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"All","description":"This + VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Security Options - Accounts''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607","type":"Microsoft.Authorization/policyDefinitions","name":"b872a447-cc6f-43b9-bccf-45703cd81607"}' + category: ''Security Options - Recovery console''. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"}' headers: cache-control: - no-cache content-length: - - '2647' + - '3254' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:10 GMT + - Thu, 06 Feb 2020 00:17:38 GMT expires: - '-1' pragma: @@ -34789,15 +36257,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''b889a06c-ec72-4b03-910a-cb169ee18721'' could not be found."}}' + ''bbcdd8fa-b600-4ee3-85b8-d184e3339652'' could not be found."}}' headers: cache-control: - no-cache @@ -34806,7 +36274,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:11 GMT + - Thu, 06 Feb 2020 00:17:40 GMT expires: - '-1' pragma: @@ -34833,38 +36301,76 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Logic - Apps to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Logic Apps to stream to a regional Log Analytics - workspace when any Logic Apps which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Logic/workflows"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Logic/workflows/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"WorkflowRuntime","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721","type":"Microsoft.Authorization/policyDefinitions","name":"b889a06c-ec72-4b03-910a-cb169ee18721"}' + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit + Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''Security Options - + Microsoft Network Client''. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers","description":"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Amount of idle time required before suspending session","description":"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Digitally sign communications (always)","description":"Specifies + whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire","description":"Specifies + whether to disconnect users who are connected to the local computer outside + their user account''s valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft + network client: Digitally sign communications (always);ExpectedValue'', ''='', + parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', + ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers''), + '','', ''Microsoft network server: Amount of idle time required before suspending + session;ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession''), + '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), + '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', + ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft + network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft + network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"}' headers: cache-control: - no-cache content-length: - - '3706' + - '11998' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:12 GMT + - Thu, 06 Feb 2020 00:17:40 GMT expires: - '-1' pragma: @@ -34895,15 +36401,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''ba12366f-f9a6-42b8-9d98-157d0b1a837b'' could not be found."}}' + ''bc0378bb-d7ab-4614-a0f6-5a6e3f02d644'' could not be found."}}' headers: cache-control: - no-cache @@ -34912,7 +36418,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:14 GMT + - Thu, 06 Feb 2020 00:17:41 GMT expires: - '-1' pragma: @@ -34939,30 +36445,126 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications + that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use + the latest supported Python version for the latest security classes. Using + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"}' + headers: + cache-control: + - no-cache + content-length: + - '1235' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:17:41 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''bc87d811-4a9b-47cc-ae54-0a41abda7768'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:17:42 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768?api-version=2019-09-01 response: body: string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"All","description":"This + VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''Security Options - Recovery console''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b","type":"Microsoft.Authorization/policyDefinitions","name":"ba12366f-f9a6-42b8-9d98-157d0b1a837b"}' + category: ''System Audit Policies - Account Logon''. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"}' headers: cache-control: - no-cache content-length: - - '2670' + - '3259' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:15 GMT + - Thu, 06 Feb 2020 00:17:42 GMT expires: - '-1' pragma: @@ -34993,15 +36595,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bbcdd8fa-b600-4ee3-85b8-d184e3339652'' could not be found."}}' + ''bd352bd5-2853-4985-bf0d-73806b4a5744'' could not be found."}}' headers: cache-control: - no-cache @@ -35010,7 +36612,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:18 GMT + - Thu, 06 Feb 2020 00:17:43 GMT expires: - '-1' pragma: @@ -35037,66 +36639,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit - Windows VMs configurations in ''Security Options - Microsoft Network Client''","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: ''Security Options - - Microsoft Network Client''. It also creates a system-assigned managed identity - and deploys the VM extension for Guest Configuration. This policy should only - be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network client: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB client component."},"defaultValue":"1"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"String","metadata":{"displayName":"Microsoft - network client: Send unencrypted password to third-party SMB servers","description":"Specifies - whether the SMB redirector will send plaintext passwords during authentication - to third-party SMB servers that do not support password encryption. It is - recommended that you disable this policy setting unless there is a strong - business case to enable it."},"defaultValue":"0"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"String","metadata":{"displayName":"Microsoft - network server: Amount of idle time required before suspending session","description":"Specifies - the amount of continuous idle time that must pass in an SMB session before - the session is suspended because of inactivity. The format of the value is - two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,15"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"String","metadata":{"displayName":"Microsoft - network server: Digitally sign communications (always)","description":"Specifies - whether packet signing is required by the SMB server component."},"defaultValue":"1"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"String","metadata":{"displayName":"Microsoft - network server: Disconnect clients when logon hours expire","description":"Specifies - whether to disconnect users who are connected to the local computer outside - their user account''s valid logon hours. This setting affects the Server Message - Block (SMB) component. If you enable this policy setting you should also enable - ''Network security: Force logoff when logon hours expire''"},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Microsoft - network client: Digitally sign communications (always);ExpectedValue'', ''='', - parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways''), '','', - ''Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers''), - '','', ''Microsoft network server: Amount of idle time required before suspending - session;ExpectedValue'', ''='', parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession''), - '','', ''Microsoft network server: Digitally sign communications (always);ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways''), - '','', ''Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue'', - ''='', parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"MicrosoftNetworkClientDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers":{"type":"string"},"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession":{"type":"string"},"MicrosoftNetworkServerDigitallySignCommunicationsAlways":{"type":"string"},"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Microsoft - network client: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkClientDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network client: Send unencrypted password to third-party SMB servers;ExpectedValue","value":"[parameters(''MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'')]"},{"name":"Microsoft - network server: Amount of idle time required before suspending session;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'')]"},{"name":"Microsoft - network server: Digitally sign communications (always);ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDigitallySignCommunicationsAlways'')]"},{"name":"Microsoft - network server: Disconnect clients when logon hours expire;ExpectedValue","value":"[parameters(''MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652","type":"Microsoft.Authorization/policyDefinitions","name":"bbcdd8fa-b600-4ee3-85b8-d184e3339652"}' + string: '{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual + machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling + IP forwarding on a virtual machine''s NIC allows the machine to receive traffic + addressed to other destinations. IP forwarding is rarely required (e.g., when + using the VM as a network virtual appliance), and therefore, this should be + reviewed by the network security team.","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"}' headers: cache-control: - no-cache content-length: - - '9604' + - '1324' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:19 GMT + - Thu, 06 Feb 2020 00:17:43 GMT expires: - '-1' pragma: @@ -35127,15 +36693,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bc0378bb-d7ab-4614-a0f6-5a6e3f02d644'' could not be found."}}' + ''bda18df3-5e41-4709-add9-2554ce68c966'' could not be found."}}' headers: cache-control: - no-cache @@ -35144,7 +36710,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:20 GMT + - Thu, 06 Feb 2020 00:17:44 GMT expires: - '-1' pragma: @@ -35171,28 +36737,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Audit API Applications - that are not using latest supported Python Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Python version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestPython","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644","type":"Microsoft.Authorization/policyDefinitions","name":"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"}' + string: '{"properties":{"displayName":"Advanced Threat Protection types should + be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It + is recommended to enable all Advanced Threat Protection types on your SQL + servers. Enabling all types protects against SQL injection, database vulnerabilities, + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"}' headers: cache-control: - no-cache content-length: - - '1207' + - '1192' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:21 GMT + - Thu, 06 Feb 2020 00:17:45 GMT expires: - '-1' pragma: @@ -35223,15 +36789,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bc87d811-4a9b-47cc-ae54-0a41abda7768'' could not be found."}}' + ''bde62c94-ccca-4821-a815-92c1d31a76de'' could not be found."}}' headers: cache-control: - no-cache @@ -35240,7 +36806,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:23 GMT + - Thu, 06 Feb 2020 00:17:45 GMT expires: - '-1' pragma: @@ -35267,30 +36833,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Windows - VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"All","description":"This + string: '{"properties":{"displayName":"Show audit results from Windows VMs in + which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines with non-compliant settings in Group Policy - category: ''System Audit Policies - Account Logon''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768","type":"Microsoft.Authorization/policyDefinitions","name":"bc87d811-4a9b-47cc-ae54-0a41abda7768"}' + auditing Windows virtual machines in which the Administrators group contains + any of the specified members. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"}' headers: cache-control: - no-cache content-length: - - '2675' + - '3207' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:24 GMT + - Thu, 06 Feb 2020 00:17:46 GMT expires: - '-1' pragma: @@ -35321,15 +36887,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bd352bd5-2853-4985-bf0d-73806b4a5744'' could not be found."}}' + ''be0a7681-bed4-48dc-9ff3-f0171ee170b6'' could not be found."}}' headers: cache-control: - no-cache @@ -35338,7 +36904,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:26 GMT + - Thu, 06 Feb 2020 00:17:47 GMT expires: - '-1' pragma: @@ -35365,29 +36931,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: IP Forwarding on your virtual - machine should be disabled","policyType":"BuiltIn","mode":"All","description":"Enabling - IP forwarding on a virtual machine''s NIC allows the machine to receive traffic - addressed to other destinations. IP forwarding is rarely required (e.g., when - using the VM as a network virtual appliance), and therefore, this should be - reviewed by the network security team.","metadata":{"category":"Security Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"disableIPForwarding","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["Monitored","OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744","type":"Microsoft.Authorization/policyDefinitions","name":"bd352bd5-2853-4985-bf0d-73806b4a5744"}' + string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications + that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use + the latest supported Java version for the latest security classes. Using older + classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"}' headers: cache-control: - no-cache content-length: - - '1287' + - '1315' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:27 GMT + - Thu, 06 Feb 2020 00:17:47 GMT expires: - '-1' pragma: @@ -35418,15 +36983,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bda18df3-5e41-4709-add9-2554ce68c966'' could not be found."}}' + ''bef3f64c-5290-43b7-85b0-9b254eef4c47'' could not be found."}}' headers: cache-control: - no-cache @@ -35435,7 +37000,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:28 GMT + - Thu, 06 Feb 2020 00:17:48 GMT expires: - '-1' pragma: @@ -35462,28 +37027,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Advanced Threat Protection types should - be set to ''All'' in SQL managed instance Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It - is recommended to enable all Advanced Threat Protection types on your SQL - servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/managedInstances"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/managedInstances/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966","type":"Microsoft.Authorization/policyDefinitions","name":"bda18df3-5e41-4709-add9-2554ce68c966"}' + string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault + to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys + the diagnostic settings for Key Vault to stream to a regional Log Analytics + workspace when any Key Vault which is missing this diagnostic settings is + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile + name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log + Analytics workspace","description":"Select Log Analytics workspace from dropdown + list. If this workspace is outside of the scope of the assignment you must + manually grant ''Log Analytics Contributor'' permissions (or similar) to the + policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable + metrics","description":"Whether to enable metrics stream to the Event Hub + - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable + logs","description":"Whether to enable logs stream to the Event Hub - True + or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), + ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"}' headers: cache-control: - no-cache content-length: - - '1174' + - '3716' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:30 GMT + - Thu, 06 Feb 2020 00:17:48 GMT expires: - '-1' pragma: @@ -35514,15 +37089,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bde62c94-ccca-4821-a815-92c1d31a76de'' could not be found."}}' + ''bf045164-79ba-4215-8f95-f8048dc1780b'' could not be found."}}' headers: cache-control: - no-cache @@ -35531,7 +37106,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:32 GMT + - Thu, 06 Feb 2020 00:17:50 GMT expires: - '-1' pragma: @@ -35558,30 +37133,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Show audit results from Windows VMs in - which the Administrators group contains any of the specified members","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines in which the Administrators group contains - any of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToExclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de","type":"Microsoft.Authorization/policyDefinitions","name":"bde62c94-ccca-4821-a815-92c1d31a76de"}' + string: '{"properties":{"displayName":"Geo-redundant storage should be enabled + for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"}' headers: cache-control: - no-cache content-length: - - '2796' + - '947' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:33 GMT + - Thu, 06 Feb 2020 00:17:50 GMT expires: - '-1' pragma: @@ -35612,15 +37183,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''be0a7681-bed4-48dc-9ff3-f0171ee170b6'' could not be found."}}' + ''c04255ee-1b9f-42c1-abaa-bf1553f79930'' could not be found."}}' headers: cache-control: - no-cache @@ -35629,7 +37200,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:35 GMT + - Thu, 06 Feb 2020 00:17:51 GMT expires: - '-1' pragma: @@ -35656,28 +37227,44 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications - that are not using latest supported Java Framework","policyType":"BuiltIn","mode":"All","description":"Use - the latest supported Java version for the latest security classes. Using older - classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestJava","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6","type":"Microsoft.Authorization/policyDefinitions","name":"be0a7681-bed4-48dc-9ff3-f0171ee170b6"}' + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit + Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''System Audit Policies + - Logon-Logoff''. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Group Membership","description":"Specifies whether audit events are + generated when group memberships are enumerated on the client computer."},"allowedValues":["No + Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"}' headers: cache-control: - no-cache content-length: - - '1287' + - '6691' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:36 GMT + - Thu, 06 Feb 2020 00:17:51 GMT expires: - '-1' pragma: @@ -35708,15 +37295,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bef3f64c-5290-43b7-85b0-9b254eef4c47'' could not be found."}}' + ''c0e996f8-39cf-4af9-9f45-83fbde810432'' could not be found."}}' headers: cache-control: - no-cache @@ -35725,7 +37312,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:37 GMT + - Thu, 06 Feb 2020 00:17:52 GMT expires: - '-1' pragma: @@ -35752,38 +37339,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault - to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - the diagnostic settings for Key Vault to stream to a regional Log Analytics - workspace when any Key Vault which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile - name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log - Analytics workspace","description":"Select Log Analytics workspace from dropdown - list. If this workspace is outside of the scope of the assignment you must - manually grant ''Log Analytics Contributor'' permissions (or similar) to the - policy assignment''s principal ID.","strongType":"omsWorkspace","assignPermissions":true}},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable - metrics","description":"Whether to enable metrics stream to the Event Hub - - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable - logs","description":"Whether to enable logs stream to the Event Hub - True - or False"},"allowedValues":["True","False"],"defaultValue":"True"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters(''profileName'')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters(''logsEnabled'')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters(''metricsEnabled'')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"string"},"location":{"type":"string"},"logAnalytics":{"type":"string"},"metricsEnabled":{"type":"string"},"logsEnabled":{"type":"string"},"profileName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.KeyVault/vaults/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters(''resourceName''), - ''/'', ''Microsoft.Insights/'', parameters(''profileName''))]","location":"[parameters(''location'')]","dependsOn":[],"properties":{"workspaceId":"[parameters(''logAnalytics'')]","metrics":[{"category":"AllMetrics","enabled":"[parameters(''metricsEnabled'')]","retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AuditEvent","enabled":"[parameters(''logsEnabled'')]"}]}}],"outputs":{}},"parameters":{"location":{"value":"[field(''location'')]"},"resourceName":{"value":"[field(''name'')]"},"logAnalytics":{"value":"[parameters(''logAnalytics'')]"},"metricsEnabled":{"value":"[parameters(''metricsEnabled'')]"},"logsEnabled":{"value":"[parameters(''logsEnabled'')]"},"profileName":{"value":"[parameters(''profileName'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47","type":"Microsoft.Authorization/policyDefinitions","name":"bef3f64c-5290-43b7-85b0-9b254eef4c47"}' + string: '{"properties":{"displayName":"Only approved VM extensions should be + installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy + governs the virtual machine extensions that are not approved.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The + list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved + extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"}' headers: cache-control: - no-cache content-length: - - '3698' + - '1142' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:38 GMT + - Thu, 06 Feb 2020 00:17:52 GMT expires: - '-1' pragma: @@ -35814,15 +37391,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''bf045164-79ba-4215-8f95-f8048dc1780b'' could not be found."}}' + ''c15c281f-ea5c-44cd-90b8-fc3c14d13f0c'' could not be found."}}' headers: cache-control: - no-cache @@ -35831,7 +37408,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:40 GMT + - Thu, 06 Feb 2020 00:17:53 GMT expires: - '-1' pragma: @@ -35858,26 +37435,37 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Geo-redundant storage should be enabled - for Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Storage Account with geo-redundant storage not enabled.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"not":{"field":"Microsoft.Storage/storageAccounts/sku.name","in":["Standard_GRS","Standard_RAGRS","Standard_GZRS","Standard_RAGZRS"]}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b","type":"Microsoft.Authorization/policyDefinitions","name":"bf045164-79ba-4215-8f95-f8048dc1780b"}' + string: '{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys + an association resource that associates selected resource types to the specified + custom provider. This policy deployment does not support nested resource types.","metadata":{"version":"1.0.0","category":"Custom + Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom + provider ID","description":"Resource ID of the Custom provider to which resources + need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource + types to associate","description":"The list of resource types to be associated + to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association + name prefix","description":"Prefix to be added to the name of the association + resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), + ''-'', uniqueString(parameters(''targetCustomProviderId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetCustomProviderId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), + ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), + ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', + uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, + ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"}' headers: cache-control: - no-cache content-length: - - '929' + - '3025' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:41 GMT + - Thu, 06 Feb 2020 00:17:53 GMT expires: - '-1' pragma: @@ -35908,15 +37496,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c04255ee-1b9f-42c1-abaa-bf1553f79930'' could not be found."}}' + ''c1b9cbed-08e3-427d-b9ce-7c535b1e9b94'' could not be found."}}' headers: cache-control: - no-cache @@ -35925,7 +37513,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:43 GMT + - Thu, 06 Feb 2020 00:17:54 GMT expires: - '-1' pragma: @@ -35952,38 +37540,26 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit - Windows VMs configurations in ''System Audit Policies - Logon-Logoff''","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: ''System Audit Policies - - Logon-Logoff''. It also creates a system-assigned managed identity and deploys - the VM extension for Guest Configuration. This policy should only be used - along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditGroupMembership":{"type":"String","metadata":{"displayName":"Audit - Group Membership","description":"Specifies whether audit events are generated - when group memberships are enumerated on the client computer."},"allowedValues":["No - Auditing","Success","Failure","Success and Failure"],"defaultValue":"Success"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesLogonLogoff","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Group Membership;ExpectedValue'', ''='', parameters(''AuditGroupMembership'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesLogonLogoff"},"AuditGroupMembership":{"value":"[parameters(''AuditGroupMembership'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditGroupMembership":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Group Membership;ExpectedValue","value":"[parameters(''AuditGroupMembership'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930","type":"Microsoft.Authorization/policyDefinitions","name":"c04255ee-1b9f-42c1-abaa-bf1553f79930"}' + string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation + only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows + resource creation in the following locations only: East Asia, Southeast Asia, + West India, South India, Central India, Japan East, Japan West","metadata":{"version":"1.0.0-deprecated","category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"}' headers: cache-control: - no-cache content-length: - - '5170' + - '763' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:44 GMT + - Thu, 06 Feb 2020 00:17:55 GMT expires: - '-1' pragma: @@ -36014,15 +37590,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c0e996f8-39cf-4af9-9f45-83fbde810432'' could not be found."}}' + ''c1e289c0-ffad-475d-a924-adc058765d65'' could not be found."}}' headers: cache-control: - no-cache @@ -36031,7 +37607,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:46 GMT + - Thu, 06 Feb 2020 00:17:56 GMT expires: - '-1' pragma: @@ -36058,28 +37634,47 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Only approved VM extensions should be - installed","policyType":"BuiltIn","mode":"Indexed","description":"This policy - governs the virtual machine extensions that are not approved.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The - effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"approvedExtensions":{"type":"Array","metadata":{"description":"The - list of approved extension types that can be installed. Example: AzureDiskEncryption","displayName":"Approved - extensions"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","notIn":"[parameters(''approvedExtensions'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432","type":"Microsoft.Authorization/policyDefinitions","name":"c0e996f8-39cf-4af9-9f45-83fbde810432"}' + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit + Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: ''System Audit Policies + - Account Logon''. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Credential Validation","description":"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. This + setting is especially useful for monitoring unsuccessful attempts, to find + brute-force attacks, account enumeration, and potential account compromise + events on domain controllers."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"}' headers: cache-control: - no-cache content-length: - - '1124' + - '6951' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:47 GMT + - Thu, 06 Feb 2020 00:17:56 GMT expires: - '-1' pragma: @@ -36110,15 +37705,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c15c281f-ea5c-44cd-90b8-fc3c14d13f0c'' could not be found."}}' + ''c21f7060-c148-41cf-a68b-0ab3e14c764c'' could not be found."}}' headers: cache-control: - no-cache @@ -36127,7 +37722,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:49 GMT + - Thu, 06 Feb 2020 00:17:57 GMT expires: - '-1' pragma: @@ -36154,37 +37749,90 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy associations for a custom provider","policyType":"BuiltIn","mode":"Indexed","description":"Deploys - an association resource that associates selected resource types to the specified - custom provider. This policy deployment does not support nested resource types.","metadata":{"category":"Custom - Provider"},"parameters":{"targetCustomProviderId":{"type":"String","metadata":{"displayName":"Custom - provider Id","description":"Resource ID of the Custom provider to which resources - need to be associated."}},"resourceTypesToAssociate":{"type":"Array","metadata":{"displayName":"Resource - types to associate","description":"The list of resource types to be associated - to the custom provider.","strongType":"resourceTypes"}},"associationNamePrefix":{"type":"String","metadata":{"displayName":"Association - name prefix","description":"Prefix to be added to the name of the association - resource being created."},"defaultValue":"DeployedByPolicy"}},"policyRule":{"if":{"field":"type","in":"[parameters(''resourceTypesToAssociate'')]"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.CustomProviders/Associations","name":"[concat(parameters(''associationNamePrefix''), - ''-'', uniqueString(parameters(''targetCustomProviderId'')))]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"associatedResourceName":{"type":"string"},"resourceTypesToAssociate":{"type":"string"},"targetCustomProviderId":{"type":"string"},"associationNamePrefix":{"type":"string"}},"variables":{"resourceType":"[concat(parameters(''resourceTypesToAssociate''), - ''/providers/associations'')]","resourceName":"[concat(parameters(''associatedResourceName''), - ''/microsoft.customproviders/'', parameters(''associationNamePrefix''), ''-'', - uniqueString(parameters(''targetCustomProviderId'')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2017-05-10","name":"[concat(deployment().Name, - ''-2'')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"[variables(''resourceType'')]","name":"[variables(''resourceName'')]","apiVersion":"2018-09-01-preview","properties":{"targetResourceId":"[parameters(''targetCustomProviderId'')]"}}]}}}]},"parameters":{"resourceTypesToAssociate":{"value":"[field(''type'')]"},"associatedResourceName":{"value":"[field(''name'')]"},"targetCustomProviderId":{"value":"[parameters(''targetCustomProviderId'')]"},"associationNamePrefix":{"value":"[parameters(''associationNamePrefix'')]"}}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c","type":"Microsoft.Authorization/policyDefinitions","name":"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"}' + string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows + VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that are not set to the specified time zone. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time + zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) + International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) + Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) + Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) + Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) + Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time + (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US + & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, + Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio + Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) + Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks + and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) + Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San + Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) + Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) + Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) + Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated + Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) + Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, + Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) + Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) + Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, + Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) + West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) + Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) + Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, + Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) + Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) + Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, + St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu + Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) + Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) + Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) + Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) + Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) + Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) + Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, + Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) + Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, + Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, + Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) + Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) + Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) + Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) + Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) + Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) + Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) + Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) + Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) + Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) + Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) + Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', + ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"}' headers: cache-control: - no-cache content-length: - - '3007' + - '10472' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:50 GMT + - Thu, 06 Feb 2020 00:17:57 GMT expires: - '-1' pragma: @@ -36215,15 +37863,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c1b9cbed-08e3-427d-b9ce-7c535b1e9b94'' could not be found."}}' + ''c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a'' could not be found."}}' headers: cache-control: - no-cache @@ -36232,7 +37880,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:52 GMT + - Thu, 06 Feb 2020 00:17:59 GMT expires: - '-1' pragma: @@ -36259,26 +37907,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation - only in Asia data centers","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation in the following locations only: East Asia, Southeast Asia, - West India, South India, Central India, Japan East, Japan West","metadata":{"category":"General","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"location","in":["eastasia","southeastasia","westindia","southindia","centralindia","japaneast","japanwest"]}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94","type":"Microsoft.Authorization/policyDefinitions","name":"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"}' + string: '{"properties":{"displayName":"Show audit results from Windows VMs on + which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"All","description":"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which the specified services are not + installed and ''Running''. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}' headers: cache-control: - no-cache content-length: - - '734' + - '3176' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:53 GMT + - Thu, 06 Feb 2020 00:17:59 GMT expires: - '-1' pragma: @@ -36309,15 +37961,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c1e289c0-ffad-475d-a924-adc058765d65'' could not be found."}}' + ''c2e7ca55-f62c-49b2-89a4-d41eb661d2f0'' could not be found."}}' headers: cache-control: - no-cache @@ -36326,7 +37978,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:55 GMT + - Thu, 06 Feb 2020 00:18:00 GMT expires: - '-1' pragma: @@ -36353,41 +38005,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit - Windows VMs configurations in ''System Audit Policies - Account Logon''","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - with non-compliant settings in Group Policy category: ''System Audit Policies - - Account Logon''. It also creates a system-assigned managed identity and - deploys the VM extension for Guest Configuration. This policy should only - be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditCredentialValidation":{"type":"String","metadata":{"displayName":"Audit - Credential Validation","description":"Specifies whether audit events are generated - when credentials are submitted for a user account logon request. This setting - is especially useful for monitoring unsuccessful attempts, to find brute-force - attacks, account enumeration, and potential account compromise events on domain - controllers."},"allowedValues":["No Auditing","Success","Failure","Success - and Failure"],"defaultValue":"Success and Failure"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesAccountLogon","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Credential Validation;ExpectedValue'', ''='', parameters(''AuditCredentialValidation'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesAccountLogon"},"AuditCredentialValidation":{"value":"[parameters(''AuditCredentialValidation'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditCredentialValidation":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Credential Validation;ExpectedValue","value":"[parameters(''AuditCredentialValidation'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65","type":"Microsoft.Authorization/policyDefinitions","name":"c1e289c0-ffad-475d-a924-adc058765d65"}' + string: '{"properties":{"displayName":"Ensure that ''.Net Framework'' version + is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, + newer versions are released for .Net Framework software either due to security + flaws or to include additional functionality. Using the latest .Net framework + version for web apps is recommended in order to to take advantage of security + fixes, if any, and/or new functionalities of the latest version.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"}' headers: cache-control: - no-cache content-length: - - '5420' + - '1279' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:56 GMT + - Thu, 06 Feb 2020 00:18:00 GMT expires: - '-1' pragma: @@ -36418,15 +38059,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c21f7060-c148-41cf-a68b-0ab3e14c764c'' could not be found."}}' + ''c3f317a7-a95c-4547-b7e7-11017ebdf2fe'' could not be found."}}' headers: cache-control: - no-cache @@ -36435,7 +38076,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:58 GMT + - Thu, 06 Feb 2020 00:18:01 GMT expires: - '-1' pragma: @@ -36462,90 +38103,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Deploy prerequisites to audit Windows - VMs that are not set to the specified time zone","policyType":"BuiltIn","mode":"Indexed","description":"This - policy creates a Guest Configuration assignment to audit Windows virtual machines - that are not set to the specified time zone. It also creates a system-assigned - managed identity and deploys the VM extension for Guest Configuration. This - policy should only be used along with its corresponding audit policy in an - initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"TimeZone":{"type":"String","metadata":{"displayName":"Time - zone","description":"The expected time zone"},"allowedValues":["(UTC-12:00) - International Date Line West","(UTC-11:00) Coordinated Universal Time-11","(UTC-10:00) - Aleutian Islands","(UTC-10:00) Hawaii","(UTC-09:30) Marquesas Islands","(UTC-09:00) - Alaska","(UTC-09:00) Coordinated Universal Time-09","(UTC-08:00) Baja California","(UTC-08:00) - Coordinated Universal Time-08","(UTC-08:00) Pacific Time (US & Canada)","(UTC-07:00) - Arizona","(UTC-07:00) Chihuahua, La Paz, Mazatlan","(UTC-07:00) Mountain Time - (US & Canada)","(UTC-06:00) Central America","(UTC-06:00) Central Time (US - & Canada)","(UTC-06:00) Easter Island","(UTC-06:00) Guadalajara, Mexico City, - Monterrey","(UTC-06:00) Saskatchewan","(UTC-05:00) Bogota, Lima, Quito, Rio - Branco","(UTC-05:00) Chetumal","(UTC-05:00) Eastern Time (US & Canada)","(UTC-05:00) - Haiti","(UTC-05:00) Havana","(UTC-05:00) Indiana (East)","(UTC-05:00) Turks - and Caicos","(UTC-04:00) Asuncion","(UTC-04:00) Atlantic Time (Canada)","(UTC-04:00) - Caracas","(UTC-04:00) Cuiaba","(UTC-04:00) Georgetown, La Paz, Manaus, San - Juan","(UTC-04:00) Santiago","(UTC-03:30) Newfoundland","(UTC-03:00) Araguaina","(UTC-03:00) - Brasilia","(UTC-03:00) Cayenne, Fortaleza","(UTC-03:00) City of Buenos Aires","(UTC-03:00) - Greenland","(UTC-03:00) Montevideo","(UTC-03:00) Punta Arenas","(UTC-03:00) - Saint Pierre and Miquelon","(UTC-03:00) Salvador","(UTC-02:00) Coordinated - Universal Time-02","(UTC-02:00) Mid-Atlantic - Old","(UTC-01:00) Azores","(UTC-01:00) - Cabo Verde Is.","(UTC) Coordinated Universal Time","(UTC+00:00) Dublin, Edinburgh, - Lisbon, London","(UTC+00:00) Monrovia, Reykjavik","(UTC+00:00) Sao Tome","(UTC+01:00) - Casablanca","(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna","(UTC+01:00) - Belgrade, Bratislava, Budapest, Ljubljana, Prague","(UTC+01:00) Brussels, - Copenhagen, Madrid, Paris","(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb","(UTC+01:00) - West Central Africa","(UTC+02:00) Amman","(UTC+02:00) Athens, Bucharest","(UTC+02:00) - Beirut","(UTC+02:00) Cairo","(UTC+02:00) Chisinau","(UTC+02:00) Damascus","(UTC+02:00) - Gaza, Hebron","(UTC+02:00) Harare, Pretoria","(UTC+02:00) Helsinki, Kyiv, - Riga, Sofia, Tallinn, Vilnius","(UTC+02:00) Jerusalem","(UTC+02:00) Kaliningrad","(UTC+02:00) - Khartoum","(UTC+02:00) Tripoli","(UTC+02:00) Windhoek","(UTC+03:00) Baghdad","(UTC+03:00) - Istanbul","(UTC+03:00) Kuwait, Riyadh","(UTC+03:00) Minsk","(UTC+03:00) Moscow, - St. Petersburg","(UTC+03:00) Nairobi","(UTC+03:30) Tehran","(UTC+04:00) Abu - Dhabi, Muscat","(UTC+04:00) Astrakhan, Ulyanovsk","(UTC+04:00) Baku","(UTC+04:00) - Izhevsk, Samara","(UTC+04:00) Port Louis","(UTC+04:00) Saratov","(UTC+04:00) - Tbilisi","(UTC+04:00) Volgograd","(UTC+04:00) Yerevan","(UTC+04:30) Kabul","(UTC+05:00) - Ashgabat, Tashkent","(UTC+05:00) Ekaterinburg","(UTC+05:00) Islamabad, Karachi","(UTC+05:00) - Qyzylorda","(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi","(UTC+05:30) - Sri Jayawardenepura","(UTC+05:45) Kathmandu","(UTC+06:00) Astana","(UTC+06:00) - Dhaka","(UTC+06:00) Omsk","(UTC+06:30) Yangon (Rangoon)","(UTC+07:00) Bangkok, - Hanoi, Jakarta","(UTC+07:00) Barnaul, Gorno-Altaysk","(UTC+07:00) Hovd","(UTC+07:00) - Krasnoyarsk","(UTC+07:00) Novosibirsk","(UTC+07:00) Tomsk","(UTC+08:00) Beijing, - Chongqing, Hong Kong, Urumqi","(UTC+08:00) Irkutsk","(UTC+08:00) Kuala Lumpur, - Singapore","(UTC+08:00) Perth","(UTC+08:00) Taipei","(UTC+08:00) Ulaanbaatar","(UTC+08:45) - Eucla","(UTC+09:00) Chita","(UTC+09:00) Osaka, Sapporo, Tokyo","(UTC+09:00) - Pyongyang","(UTC+09:00) Seoul","(UTC+09:00) Yakutsk","(UTC+09:30) Adelaide","(UTC+09:30) - Darwin","(UTC+10:00) Brisbane","(UTC+10:00) Canberra, Melbourne, Sydney","(UTC+10:00) - Guam, Port Moresby","(UTC+10:00) Hobart","(UTC+10:00) Vladivostok","(UTC+10:30) - Lord Howe Island","(UTC+11:00) Bougainville Island","(UTC+11:00) Chokurdakh","(UTC+11:00) - Magadan","(UTC+11:00) Norfolk Island","(UTC+11:00) Sakhalin","(UTC+11:00) - Solomon Is., New Caledonia","(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky","(UTC+12:00) - Auckland, Wellington","(UTC+12:00) Coordinated Universal Time+12","(UTC+12:00) - Fiji","(UTC+12:00) Petropavlovsk-Kamchatsky - Old","(UTC+12:45) Chatham Islands","(UTC+13:00) - Coordinated Universal Time+13","(UTC+13:00) Nuku''alofa","(UTC+13:00) Samoa","(UTC+14:00) - Kiritimati Island"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsTimeZone","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[WindowsTimeZone]WindowsTimeZone1;TimeZone'', - ''='', parameters(''TimeZone'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsTimeZone"},"TimeZone":{"value":"[parameters(''TimeZone'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"TimeZone":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[WindowsTimeZone]WindowsTimeZone1;TimeZone","value":"[parameters(''TimeZone'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c","type":"Microsoft.Authorization/policyDefinitions","name":"c21f7060-c148-41cf-a68b-0ab3e14c764c"}' + string: '{"properties":{"displayName":"System updates on virtual machine scale + sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit + whether there are any missing system security updates and critical updates + that should be installed to ensure that your Windows and Linux virtual machine + scale sets are secure.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"}' headers: cache-control: - no-cache content-length: - - '10061' + - '1142' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:13:59 GMT + - Thu, 06 Feb 2020 00:18:01 GMT expires: - '-1' pragma: @@ -36576,15 +38156,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a'' could not be found."}}' + ''c40c9087-1981-4e73-9f53-39743eda9d05'' could not be found."}}' headers: cache-control: - no-cache @@ -36593,7 +38173,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:01 GMT + - Thu, 06 Feb 2020 00:18:02 GMT expires: - '-1' pragma: @@ -36620,29 +38200,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Show audit results from Windows VMs on - which the specified services are not installed and ''Running''","policyType":"BuiltIn","mode":"All","description":"This + string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux + VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of - auditing Windows virtual machines on which the specified services are not - installed and ''Running''. For more information on Guest Configuration policies, - please visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsServiceStatus","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a","type":"Microsoft.Authorization/policyDefinitions","name":"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"}' + auditing Linux virtual machines that have accounts without passwords. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"}' headers: cache-control: - no-cache content-length: - - '2765' + - '3635' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:02 GMT + - Thu, 06 Feb 2020 00:18:02 GMT expires: - '-1' pragma: @@ -36673,15 +38253,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c2e7ca55-f62c-49b2-89a4-d41eb661d2f0'' could not be found."}}' + ''c43e4a30-77cb-48ab-a4dd-93f175c63b57'' could not be found."}}' headers: cache-control: - no-cache @@ -36690,7 +38270,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:04 GMT + - Thu, 06 Feb 2020 00:18:03 GMT expires: - '-1' pragma: @@ -36717,30 +38297,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Ensure that ''.Net Framework'' version - is the latest, if used as a part of the API app","policyType":"BuiltIn","mode":"Indexed","description":"Periodically, - newer versions are released for .Net Framework software either due to security - flaws or to include additional functionality. Using the latest .Net framework - version for web apps is recommended in order to to take advantage of security - fixes, if any, and/or new functionalities of the latest version.","metadata":{"category":"App - Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.netFrameworkVersion","in":["v3.0","v4.0"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0","type":"Microsoft.Authorization/policyDefinitions","name":"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"}' + string: '{"properties":{"displayName":"Microsoft Antimalware for Azure should + be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Windows virtual machine not configured with automatic update + of Microsoft Antimalware protection signatures.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"}' headers: cache-control: - no-cache content-length: - - '1261' + - '1406' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:05 GMT + - Thu, 06 Feb 2020 00:18:03 GMT expires: - '-1' pragma: @@ -36771,15 +38348,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c3f317a7-a95c-4547-b7e7-11017ebdf2fe'' could not be found."}}' + ''c4857be7-912a-4c75-87e6-e30292bcdf78'' could not be found."}}' headers: cache-control: - no-cache @@ -36788,7 +38365,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:07 GMT + - Thu, 06 Feb 2020 00:18:04 GMT expires: - '-1' pragma: @@ -36815,28 +38392,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"System updates on virtual machine scale - sets should be installed","policyType":"BuiltIn","mode":"Indexed","description":"Audit - whether there are any missing system security updates and critical updates - that should be installed to ensure that your Windows and Linux virtual machine - scale sets are secure.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"SystemUpdates","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe","type":"Microsoft.Authorization/policyDefinitions","name":"c3f317a7-a95c-4547-b7e7-11017ebdf2fe"}' + string: '{"properties":{"displayName":"[Preview]: Container Registry should + use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This + policy audits any Container Registry not configured to use a virtual network + service endpoint.","metadata":{"version":"1.0.0-preview","category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"}' headers: cache-control: - no-cache content-length: - - '1124' + - '1110' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:08 GMT + - Thu, 06 Feb 2020 00:18:04 GMT expires: - '-1' pragma: @@ -36867,15 +38443,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c40c9087-1981-4e73-9f53-39743eda9d05'' could not be found."}}' + ''c4d441f8-f9d9-4a9e-9cef-e82117cb3eef'' could not be found."}}' headers: cache-control: - no-cache @@ -36884,7 +38460,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:09 GMT + - Thu, 06 Feb 2020 00:18:06 GMT expires: - '-1' pragma: @@ -36911,29 +38487,27 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Show audit results from Linux - VMs that have accounts without passwords","policyType":"BuiltIn","mode":"All","description":"This - policy should only be used along with its corresponding deploy policy in an - initiative. This definition allows Azure Policy to process the results of - auditing Linux virtual machines that have accounts without passwords. For - more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid232","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05","type":"Microsoft.Authorization/policyDefinitions","name":"c40c9087-1981-4e73-9f53-39743eda9d05"}' + string: '{"properties":{"displayName":"Managed identity should be used in your + API App","policyType":"BuiltIn","mode":"Indexed","description":"Use a managed + identity for enhanced authentication security","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"}' headers: cache-control: - no-cache content-length: - - '3164' + - '984' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:11 GMT + - Thu, 06 Feb 2020 00:18:06 GMT expires: - '-1' pragma: @@ -36964,15 +38538,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c43e4a30-77cb-48ab-a4dd-93f175c63b57'' could not be found."}}' + ''c4ebc54a-46e1-481a-bee2-d4411e95d828'' could not be found."}}' headers: cache-control: - no-cache @@ -36981,7 +38555,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:13 GMT + - Thu, 06 Feb 2020 00:18:07 GMT expires: - '-1' pragma: @@ -37008,27 +38582,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Microsoft Antimalware for Azure should - be configured to automatically update protection signatures","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Windows virtual machine not configured with automatic update - of Microsoft Antimalware protection signatures.","metadata":{"category":"Compute"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","equals":"Windows"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachines/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"IaaSAntimalware"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.Azure.Security"},{"field":"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion","equals":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57","type":"Microsoft.Authorization/policyDefinitions","name":"c43e4a30-77cb-48ab-a4dd-93f175c63b57"}' + string: '{"properties":{"displayName":"Authentication should be enabled on your + API app","policyType":"BuiltIn","mode":"Indexed","description":"Azure App + Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828","type":"Microsoft.Authorization/policyDefinitions","name":"c4ebc54a-46e1-481a-bee2-d4411e95d828"}' headers: cache-control: - no-cache content-length: - - '1388' + - '1099' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:14 GMT + - Thu, 06 Feb 2020 00:18:07 GMT expires: - '-1' pragma: @@ -37059,15 +38634,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c4857be7-912a-4c75-87e6-e30292bcdf78'' could not be found."}}' + ''c5447c04-a4d7-4ba8-a263-c9ee321a6858'' could not be found."}}' headers: cache-control: - no-cache @@ -37076,7 +38651,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:15 GMT + - Thu, 06 Feb 2020 00:18:08 GMT expires: - '-1' pragma: @@ -37103,27 +38678,28 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Container Registry should - use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This - policy audits any Container Registry not configured to use a virtual network - service endpoint.","metadata":{"category":"Network","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerRegistry/registries"},{"anyOf":[{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction","notEquals":"Deny"},{"field":"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78","type":"Microsoft.Authorization/policyDefinitions","name":"c4857be7-912a-4c75-87e6-e30292bcdf78"}' + string: '{"properties":{"displayName":"An activity log alert should exist for + specific Policy operations","policyType":"BuiltIn","mode":"All","description":"This + policy audits specific Policy operations with no activity log alerts configured.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"operationName":{"type":"String","metadata":{"displayName":"Operation + Name","description":"Policy Operation name for which activity log alert should + exist"},"allowedValues":["Microsoft.Authorization/policyAssignments/write","Microsoft.Authorization/policyAssignments/delete"]}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/ActivityLogAlerts","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts","exists":"true"},{"field":"Microsoft.Insights/ActivityLogAlerts/enabled","equals":"true"},{"count":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"Policy"}]},{"allOf":[{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"},{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals","equals":"[parameters(''operationName'')]"}]}]}},"equals":2},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"category"}},{"not":{"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field","equals":"operationName"}}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858","type":"Microsoft.Authorization/policyDefinitions","name":"c5447c04-a4d7-4ba8-a263-c9ee321a6858"}' headers: cache-control: - no-cache content-length: - - '1073' + - '2094' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:16 GMT + - Thu, 06 Feb 2020 00:18:08 GMT expires: - '-1' pragma: @@ -37154,15 +38730,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c4d441f8-f9d9-4a9e-9cef-e82117cb3eef'' could not be found."}}' + ''c5fbc59e-fb6f-494f-81e2-d99a671bdaa8'' could not be found."}}' headers: cache-control: - no-cache @@ -37171,7 +38747,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:18 GMT + - Thu, 06 Feb 2020 00:18:09 GMT expires: - '-1' pragma: @@ -37198,27 +38774,64 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Managed identity should be used in your - API App","policyType":"BuiltIn","mode":"Indexed","description":"Use a managed - identity for enhanced authentication security","metadata":{"category":"App - Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef","type":"Microsoft.Authorization/policyDefinitions","name":"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"}' + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit + Windows VMs that contain certificates expiring within the specified number + of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy + creates a Guest Configuration assignment to audit Windows virtual machines + that contain certificates expiring within the specified number of days. It + also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate store path","description":"The path to the certificate store containing + the certificates to check the expiration dates of. Default value is ''Cert:'' + which is the root certificate store path, so all certificates on the machine + will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', + ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"[Preview]: + Expiration limit in days","description":"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to include","description":"A semicolon-separated list + of certificate thumbprints to check under the specified path. If a value is + not specified, all certificates under the certificate store path will be checked. + If a value is specified, no certificates other than those with the thumbprints + specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"[Preview]: + Certificate thumbprints to exclude","description":"A semicolon-separated list + of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"[Preview]: + Include expired certificates","description":"Must be ''true'' or ''false''. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', + ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', + ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', + ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', + ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', + ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"}' headers: cache-control: - no-cache content-length: - - '966' + - '10419' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:19 GMT + - Thu, 06 Feb 2020 00:18:10 GMT expires: - '-1' pragma: @@ -37249,15 +38862,15 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8?api-version=2019-09-01 + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8?api-version=2019-09-01 response: body: string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition - ''c5fbc59e-fb6f-494f-81e2-d99a671bdaa8'' could not be found."}}' + ''c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8'' could not be found."}}' headers: cache-control: - no-cache @@ -37266,7 +38879,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:21 GMT + - Thu, 06 Feb 2020 00:18:10 GMT expires: - '-1' pragma: @@ -37293,64 +38906,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET - uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8?api-version=2019-09-01 + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit - Windows VMs that contain certificates expiring within the specified number - of days","policyType":"BuiltIn","mode":"Indexed","description":"This policy - creates a Guest Configuration assignment to audit Windows virtual machines - that contain certificates expiring within the specified number of days. It - also creates a system-assigned managed identity and deploys the VM extension - for Guest Configuration. This policy should only be used along with its corresponding - audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"CertificateStorePath":{"type":"String","metadata":{"displayName":"Certificate - store path","description":"The path to the certificate store containing the - certificates to check the expiration dates of. Default value is ''Cert:'' - which is the root certificate store path, so all certificates on the machine - will be checked. Other example paths: ''Cert:\\LocalMachine'', ''Cert:\\LocalMachine\\TrustedPublisher'', - ''Cert:\\CurrentUser''"},"defaultValue":"Cert:"},"ExpirationLimitInDays":{"type":"String","metadata":{"displayName":"Expiration - limit in days","description":"An integer indicating the number of days within - which to check for certificates that are expiring. For example, if this value - is 30, any certificate expiring within the next 30 days will cause this policy - to be non-compliant."},"defaultValue":"30"},"CertificateThumbprintsToInclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to include","description":"A semicolon-separated list of certificate - thumbprints to check under the specified path. If a value is not specified, - all certificates under the certificate store path will be checked. If a value - is specified, no certificates other than those with the thumbprints specified - will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"CertificateThumbprintsToExclude":{"type":"String","metadata":{"displayName":"Certificate - thumbprints to exclude","description":"A semicolon-separated list of certificate - thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"},"defaultValue":""},"IncludeExpiredCertificates":{"type":"String","metadata":{"displayName":"Include - expired certificates","description":"Must be ''true'' or ''false''. True indicates - that any found certificates that have already expired will also make this - policy non-compliant. False indicates that certificates that have expired - will be be ignored."},"allowedValues":["true","false"],"defaultValue":"false"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"CertificateExpiration","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[CertificateStore]CertificateStore1;CertificateStorePath'', - ''='', parameters(''CertificateStorePath''), '','', ''[CertificateStore]CertificateStore1;ExpirationLimitInDays'', - ''='', parameters(''ExpirationLimitInDays''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude'', - ''='', parameters(''CertificateThumbprintsToInclude''), '','', ''[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude'', - ''='', parameters(''CertificateThumbprintsToExclude''), '','', ''[CertificateStore]CertificateStore1;IncludeExpiredCertificates'', - ''='', parameters(''IncludeExpiredCertificates'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"CertificateExpiration"},"CertificateStorePath":{"value":"[parameters(''CertificateStorePath'')]"},"ExpirationLimitInDays":{"value":"[parameters(''ExpirationLimitInDays'')]"},"CertificateThumbprintsToInclude":{"value":"[parameters(''CertificateThumbprintsToInclude'')]"},"CertificateThumbprintsToExclude":{"value":"[parameters(''CertificateThumbprintsToExclude'')]"},"IncludeExpiredCertificates":{"value":"[parameters(''IncludeExpiredCertificates'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"CertificateStorePath":{"type":"string"},"ExpirationLimitInDays":{"type":"string"},"CertificateThumbprintsToInclude":{"type":"string"},"CertificateThumbprintsToExclude":{"type":"string"},"IncludeExpiredCertificates":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), - toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[CertificateStore]CertificateStore1;CertificateStorePath","value":"[parameters(''CertificateStorePath'')]"},{"name":"[CertificateStore]CertificateStore1;ExpirationLimitInDays","value":"[parameters(''ExpirationLimitInDays'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude","value":"[parameters(''CertificateThumbprintsToInclude'')]"},{"name":"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude","value":"[parameters(''CertificateThumbprintsToExclude'')]"},{"name":"[CertificateStore]CertificateStore1;IncludeExpiredCertificates","value":"[parameters(''IncludeExpiredCertificates'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), - toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), - ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8","type":"Microsoft.Authorization/policyDefinitions","name":"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"}' + string: '{"properties":{"displayName":"Authentication should be enabled on your + Function app","policyType":"BuiltIn","mode":"Indexed","description":"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","equals":"functionapp"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/siteAuthEnabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8","type":"Microsoft.Authorization/policyDefinitions","name":"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"}' headers: cache-control: - no-cache content-length: - - '9930' + - '1123' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:22 GMT + - Thu, 06 Feb 2020 00:18:10 GMT expires: - '-1' pragma: @@ -37381,7 +38959,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37398,7 +38976,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:24 GMT + - Thu, 06 Feb 2020 00:18:11 GMT expires: - '-1' pragma: @@ -37425,7 +39003,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37437,17 +39015,17 @@ interactions: that ''email notification to admins and subscription owners'' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible - to the admins.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the admins.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc","type":"Microsoft.Authorization/policyDefinitions","name":"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"}' headers: cache-control: - no-cache content-length: - - '1210' + - '1228' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:25 GMT + - Thu, 06 Feb 2020 00:18:11 GMT expires: - '-1' pragma: @@ -37478,7 +39056,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37495,7 +39073,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:27 GMT + - Thu, 06 Feb 2020 00:18:13 GMT expires: - '-1' pragma: @@ -37522,7 +39100,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37533,7 +39111,7 @@ interactions: Account to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings - is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -37549,11 +39127,11 @@ interactions: cache-control: - no-cache content-length: - - '3718' + - '3736' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:28 GMT + - Thu, 06 Feb 2020 00:18:13 GMT expires: - '-1' pragma: @@ -37584,7 +39162,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37601,7 +39179,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:30 GMT + - Thu, 06 Feb 2020 00:18:14 GMT expires: - '-1' pragma: @@ -37628,7 +39206,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37638,18 +39216,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: API App should only be accessible over HTTPS","policyType":"BuiltIn","mode":"All","description":"Use of HTTPS ensures server/service authentication and protects data in transit - from network layer eavesdropping attacks.","metadata":{"category":"Security - Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"}' + from network layer eavesdropping attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"api"},{"field":"kind","equals":"apiApp"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"OnlyHttpsForApiApp","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d","type":"Microsoft.Authorization/policyDefinitions","name":"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"}' headers: cache-control: - no-cache content-length: - - '1145' + - '1188' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:31 GMT + - Thu, 06 Feb 2020 00:18:14 GMT expires: - '-1' pragma: @@ -37680,7 +39258,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37697,7 +39275,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:33 GMT + - Thu, 06 Feb 2020 00:18:15 GMT expires: - '-1' pragma: @@ -37724,7 +39302,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37737,17 +39315,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Interactive Logon''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsInteractiveLogon","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d","type":"Microsoft.Authorization/policyDefinitions","name":"c8abcef9-fc26-482f-b8db-5fa60ee4586d"}' headers: cache-control: - no-cache content-length: - - '2673' + - '3257' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:34 GMT + - Thu, 06 Feb 2020 00:18:15 GMT expires: - '-1' pragma: @@ -37778,7 +39356,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37795,7 +39373,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:36 GMT + - Thu, 06 Feb 2020 00:18:16 GMT expires: - '-1' pragma: @@ -37822,7 +39400,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37833,19 +39411,20 @@ interactions: should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Data Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Data + Lake"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DataLakeAnalytics/accounts"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c","type":"Microsoft.Authorization/policyDefinitions","name":"c95c74d9-38fe-4f0d-af86-0c7d626a315c"}' headers: cache-control: - no-cache content-length: - - '1799' + - '1913' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:37 GMT + - Thu, 06 Feb 2020 00:18:16 GMT expires: - '-1' pragma: @@ -37876,7 +39455,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37893,7 +39472,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:39 GMT + - Thu, 06 Feb 2020 00:18:17 GMT expires: - '-1' pragma: @@ -37920,7 +39499,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37933,17 +39512,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''User Rights Assignment''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_UserRightsAssignment","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994","type":"Microsoft.Authorization/policyDefinitions","name":"c961dac9-5916-42e8-8fb1-703148323994"}' headers: cache-control: - no-cache content-length: - - '2634' + - '3218' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:40 GMT + - Thu, 06 Feb 2020 00:18:17 GMT expires: - '-1' pragma: @@ -37974,7 +39553,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -37991,7 +39570,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:42 GMT + - Thu, 06 Feb 2020 00:18:18 GMT expires: - '-1' pragma: @@ -38018,7 +39597,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38031,8 +39610,8 @@ interactions: with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPendingReboot","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPendingReboot"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -38044,11 +39623,11 @@ interactions: cache-control: - no-cache content-length: - - '5179' + - '5590' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:43 GMT + - Thu, 06 Feb 2020 00:18:19 GMT expires: - '-1' pragma: @@ -38079,7 +39658,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38096,7 +39675,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:45 GMT + - Thu, 06 Feb 2020 00:18:19 GMT expires: - '-1' pragma: @@ -38123,7 +39702,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38134,7 +39713,7 @@ interactions: Security Groups","policyType":"BuiltIn","mode":"Indexed","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name ''{storagePrefixParameter}{NSGLocation}'' will - be automatically created.","metadata":{"category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage + be automatically created.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"storagePrefix":{"type":"String","metadata":{"displayName":"Storage Account Prefix for Regional Storage Account","description":"This prefix will be combined with the network security group location to form the created storage account name."}},"rgName":{"type":"String","metadata":{"displayName":"Resource @@ -38149,11 +39728,11 @@ interactions: cache-control: - no-cache content-length: - - '3906' + - '3924' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:46 GMT + - Thu, 06 Feb 2020 00:18:19 GMT expires: - '-1' pragma: @@ -38184,7 +39763,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38201,7 +39780,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:48 GMT + - Thu, 06 Feb 2020 00:18:20 GMT expires: - '-1' pragma: @@ -38228,7 +39807,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38241,17 +39820,17 @@ interactions: that can''t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access - the storage account.","metadata":{"category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + the storage account.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","exists":"true"},{"field":"Microsoft.Storage/storageAccounts/networkAcls.bypass","notContains":"AzureServices"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd","type":"Microsoft.Authorization/policyDefinitions","name":"c9d007d0-c057-4772-b18c-01e546713bcd"}' headers: cache-control: - no-cache content-length: - - '1273' + - '1291' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:49 GMT + - Thu, 06 Feb 2020 00:18:20 GMT expires: - '-1' pragma: @@ -38282,7 +39861,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38299,7 +39878,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:51 GMT + - Thu, 06 Feb 2020 00:18:21 GMT expires: - '-1' pragma: @@ -38326,7 +39905,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38336,17 +39915,18 @@ interactions: string: '{"properties":{"displayName":"Remote debugging should be turned off for Web Applications","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on a web application. Remote - debugging should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + debugging should be turned off.","metadata":{"version":"1.0.0","category":"App + Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71","type":"Microsoft.Authorization/policyDefinitions","name":"cb510bfd-1cba-4d9f-a230-cb0976f4bb71"}' headers: cache-control: - no-cache content-length: - - '1021' + - '1039' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:52 GMT + - Thu, 06 Feb 2020 00:18:22 GMT expires: - '-1' pragma: @@ -38377,7 +39957,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38394,7 +39974,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:53 GMT + - Thu, 06 Feb 2020 00:18:23 GMT expires: - '-1' pragma: @@ -38421,7 +40001,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38434,17 +40014,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembers","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19","type":"Microsoft.Authorization/policyDefinitions","name":"cc7cda28-f867-4311-8497-a526129a8d19"}' headers: cache-control: - no-cache content-length: - - '2799' + - '3210' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:55 GMT + - Thu, 06 Feb 2020 00:18:23 GMT expires: - '-1' pragma: @@ -38475,7 +40055,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38492,7 +40072,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:57 GMT + - Thu, 06 Feb 2020 00:18:24 GMT expires: - '-1' pragma: @@ -38519,7 +40099,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38530,18 +40110,18 @@ interactions: databases should be classified","policyType":"BuiltIn","mode":"Indexed","description":"Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive - data in your databases for better monitoring and security","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"}' + data in your databases for better monitoring and security","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedInstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlDataClassification","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349","type":"Microsoft.Authorization/policyDefinitions","name":"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"}' headers: cache-control: - no-cache content-length: - - '1217' + - '1254' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:14:59 GMT + - Thu, 06 Feb 2020 00:18:24 GMT expires: - '-1' pragma: @@ -38572,7 +40152,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38589,7 +40169,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:00 GMT + - Thu, 06 Feb 2020 00:18:26 GMT expires: - '-1' pragma: @@ -38616,7 +40196,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38625,18 +40205,18 @@ interactions: body: string: '{"properties":{"displayName":"Allowed virtual machine SKUs","policyType":"BuiltIn","mode":"Indexed","description":"This policy enables you to specify a set of virtual machine SKUs that your organization - can deploy.","metadata":{"category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The + can deploy.","metadata":{"version":"1.0.0","category":"Compute"},"parameters":{"listOfAllowedSKUs":{"type":"Array","metadata":{"description":"The list of SKUs that can be specified for virtual machines.","displayName":"Allowed SKUs","strongType":"VMSKUs"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"not":{"field":"Microsoft.Compute/virtualMachines/sku.name","in":"[parameters(''listOfAllowedSKUs'')]"}}]},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3","type":"Microsoft.Authorization/policyDefinitions","name":"cccc23c7-8427-4f53-ad12-b6a63eb452b3"}' headers: cache-control: - no-cache content-length: - - '861' + - '879' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:01 GMT + - Thu, 06 Feb 2020 00:18:26 GMT expires: - '-1' pragma: @@ -38667,7 +40247,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38684,7 +40264,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:04 GMT + - Thu, 06 Feb 2020 00:18:27 GMT expires: - '-1' pragma: @@ -38711,7 +40291,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38721,7 +40301,7 @@ interactions: string: '{"properties":{"displayName":"Inherit a tag from the resource group","policyType":"BuiltIn","mode":"Indexed","description":"Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by - triggering a remediation task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + triggering a remediation task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[resourceGroup().tags[parameters(''tagName'')]]"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54","type":"Microsoft.Authorization/policyDefinitions","name":"cd3aa116-8754-49c9-a813-ad46512ece54"}' @@ -38729,11 +40309,11 @@ interactions: cache-control: - no-cache content-length: - - '1205' + - '1223' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:05 GMT + - Thu, 06 Feb 2020 00:18:27 GMT expires: - '-1' pragma: @@ -38764,7 +40344,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38781,7 +40361,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:06 GMT + - Thu, 06 Feb 2020 00:18:28 GMT expires: - '-1' pragma: @@ -38808,7 +40388,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38817,16 +40397,16 @@ interactions: body: string: '{"properties":{"displayName":"[Deprecated]: Allow resource creation if ''department'' tag set","policyType":"BuiltIn","mode":"Indexed","description":"Allows - resource creation only if the ''department'' tag is set","metadata":{"category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"}' + resource creation only if the ''department'' tag is set","metadata":{"version":"1.0.0-deprecated","category":"Tags","deprecated":true},"parameters":{},"policyRule":{"if":{"not":{"field":"tags","containsKey":"department"}},"then":{"effect":"Deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064","type":"Microsoft.Authorization/policyDefinitions","name":"cd8dc879-a2ae-43c3-8211-1877c5755064"}' headers: cache-control: - no-cache content-length: - - '567' + - '596' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:07 GMT + - Thu, 06 Feb 2020 00:18:28 GMT expires: - '-1' pragma: @@ -38857,7 +40437,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38874,7 +40454,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:10 GMT + - Thu, 06 Feb 2020 00:18:28 GMT expires: - '-1' pragma: @@ -38901,7 +40481,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38913,17 +40493,17 @@ interactions: policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"}' + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"EnforcePasswordHistory","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293","type":"Microsoft.Authorization/policyDefinitions","name":"cdbf72d9-ac9c-4026-8a3a-491a5ac59293"}' headers: cache-control: - no-cache content-length: - - '2744' + - '3178' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:11 GMT + - Thu, 06 Feb 2020 00:18:29 GMT expires: - '-1' pragma: @@ -38954,7 +40534,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -38971,7 +40551,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:12 GMT + - Thu, 06 Feb 2020 00:18:30 GMT expires: - '-1' pragma: @@ -38998,33 +40578,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - Privilege Use''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Privilege Use''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPrivilegeUse","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesPrivilegeUse"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0","type":"Microsoft.Authorization/policyDefinitions","name":"ce2370f6-0ac5-4d85-8ab4-10721cc640b0"}' headers: cache-control: - no-cache content-length: - - '4394' + - '5782' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:14 GMT + - Thu, 06 Feb 2020 00:18:31 GMT expires: - '-1' pragma: @@ -39055,7 +40640,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39072,7 +40657,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:16 GMT + - Thu, 06 Feb 2020 00:18:31 GMT expires: - '-1' pragma: @@ -39099,7 +40684,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39110,7 +40695,7 @@ interactions: enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.KeyVault/vaults"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21","type":"Microsoft.Authorization/policyDefinitions","name":"cf820ca0-f99e-4f3e-84fb-66e913812d21"}' @@ -39118,11 +40703,11 @@ interactions: cache-control: - no-cache content-length: - - '1778' + - '1796' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:17 GMT + - Thu, 06 Feb 2020 00:18:32 GMT expires: - '-1' pragma: @@ -39153,7 +40738,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39170,7 +40755,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:19 GMT + - Thu, 06 Feb 2020 00:18:32 GMT expires: - '-1' pragma: @@ -39197,7 +40782,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39207,7 +40792,7 @@ interactions: string: '{"properties":{"displayName":"Add or replace a tag on resource groups","policyType":"BuiltIn","mode":"All","description":"Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation - task.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + task.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}},"tagValue":{"type":"String","metadata":{"displayName":"Tag Value","description":"Value of the tag, such as ''production''"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","notEquals":"[parameters(''tagValue'')]"}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"addOrReplace","field":"[concat(''tags['', @@ -39216,11 +40801,11 @@ interactions: cache-control: - no-cache content-length: - - '1269' + - '1287' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:20 GMT + - Thu, 06 Feb 2020 00:18:32 GMT expires: - '-1' pragma: @@ -39251,7 +40836,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39268,7 +40853,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:23 GMT + - Thu, 06 Feb 2020 00:18:33 GMT expires: - '-1' pragma: @@ -39295,7 +40880,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39309,17 +40894,17 @@ interactions: to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man-in-the-middle'' attacks by encrypting the data stream - between the server and your application","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + between the server and your application","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforPostgreSQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af","type":"Microsoft.Authorization/policyDefinitions","name":"d158790f-bfb0-486c-8631-2dc6b4e8e6af"}' headers: cache-control: - no-cache content-length: - - '1299' + - '1317' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:24 GMT + - Thu, 06 Feb 2020 00:18:35 GMT expires: - '-1' pragma: @@ -39350,7 +40935,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39367,7 +40952,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:26 GMT + - Thu, 06 Feb 2020 00:18:35 GMT expires: - '-1' pragma: @@ -39394,7 +40979,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39404,17 +40989,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Function Apps that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a Function app from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"}' + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"functionapp"},{"field":"kind","equals":"functionapp,linux"},{"field":"kind","equals":"functionapp,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c","type":"Microsoft.Authorization/policyDefinitions","name":"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"}' headers: cache-control: - no-cache content-length: - - '1235' + - '1263' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:27 GMT + - Thu, 06 Feb 2020 00:18:36 GMT expires: - '-1' pragma: @@ -39445,7 +41031,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39462,7 +41048,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:29 GMT + - Thu, 06 Feb 2020 00:18:36 GMT expires: - '-1' pragma: @@ -39489,7 +41075,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39504,8 +41090,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsDscConfiguration","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsDscConfiguration"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -39517,11 +41103,11 @@ interactions: cache-control: - no-cache content-length: - - '5330' + - '5764' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:30 GMT + - Thu, 06 Feb 2020 00:18:37 GMT expires: - '-1' pragma: @@ -39552,7 +41138,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39569,7 +41155,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:32 GMT + - Thu, 06 Feb 2020 00:18:37 GMT expires: - '-1' pragma: @@ -39596,7 +41182,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39606,17 +41192,17 @@ interactions: string: '{"properties":{"displayName":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers/databases"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies","name":"default","existenceCondition":{"anyOf":[{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention","notEquals":"PT0S"},{"field":"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention","notEquals":"PT0S"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570","type":"Microsoft.Authorization/policyDefinitions","name":"d38fc420-0735-4ef3-ac11-c806f651a570"}' headers: cache-control: - no-cache content-length: - - '1290' + - '1308' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:34 GMT + - Thu, 06 Feb 2020 00:18:37 GMT expires: - '-1' pragma: @@ -39647,7 +41233,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39664,7 +41250,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:35 GMT + - Thu, 06 Feb 2020 00:18:39 GMT expires: - '-1' pragma: @@ -39691,7 +41277,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39701,18 +41287,18 @@ interactions: string: '{"properties":{"displayName":"Virtual machines should be connected to an approved virtual network","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual machine connected to a virtual network that is not - approved.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The + approved.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The effect determines what happens when the policy rule is evaluated to match"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"},"virtualNetworkId":{"type":"String","metadata":{"displayName":"Virtual network Id","description":"Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkInterfaces"},{"not":{"field":"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id","like":"[concat(parameters(''virtualNetworkId''),''/*'')]"}}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3","type":"Microsoft.Authorization/policyDefinitions","name":"d416745a-506c-48b6-8ab1-83cb814bcaa3"}' headers: cache-control: - no-cache content-length: - - '1261' + - '1279' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:36 GMT + - Thu, 06 Feb 2020 00:18:39 GMT expires: - '-1' pragma: @@ -39743,7 +41329,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39760,7 +41346,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:38 GMT + - Thu, 06 Feb 2020 00:18:39 GMT expires: - '-1' pragma: @@ -39787,7 +41373,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39798,7 +41384,7 @@ interactions: Analytics to Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_logAnalytics"},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown @@ -39814,11 +41400,11 @@ interactions: cache-control: - no-cache content-length: - - '3809' + - '3827' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:39 GMT + - Thu, 06 Feb 2020 00:18:40 GMT expires: - '-1' pragma: @@ -39849,7 +41435,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39866,7 +41452,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:42 GMT + - Thu, 06 Feb 2020 00:18:41 GMT expires: - '-1' pragma: @@ -39893,7 +41479,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39903,17 +41489,17 @@ interactions: string: '{"properties":{"displayName":"Event Hub should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Event Hub not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/virtualNetworkRules","existenceCondition":{"field":"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0","type":"Microsoft.Authorization/policyDefinitions","name":"d63edb4a-c612-454d-b47d-191a724fcbf0"}' headers: cache-control: - no-cache content-length: - - '999' + - '1017' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:43 GMT + - Thu, 06 Feb 2020 00:18:41 GMT expires: - '-1' pragma: @@ -39944,7 +41530,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -39961,7 +41547,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:45 GMT + - Thu, 06 Feb 2020 00:18:42 GMT expires: - '-1' pragma: @@ -39988,7 +41574,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40001,16 +41587,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsSerialConsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc","type":"Microsoft.Authorization/policyDefinitions","name":"d7ccd0ca-8d78-42af-a43d-6b7f928accbc"}' headers: cache-control: - no-cache content-length: - - '2745' + - '3156' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:46 GMT + - Thu, 06 Feb 2020 00:18:42 GMT expires: - '-1' pragma: @@ -40041,7 +41628,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40058,7 +41645,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:47 GMT + - Thu, 06 Feb 2020 00:18:43 GMT expires: - '-1' pragma: @@ -40085,7 +41672,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40096,7 +41683,7 @@ interactions: Account to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created - or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -40113,11 +41700,11 @@ interactions: cache-control: - no-cache content-length: - - '3733' + - '3751' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:48 GMT + - Thu, 06 Feb 2020 00:18:43 GMT expires: - '-1' pragma: @@ -40148,7 +41735,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40165,7 +41752,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:50 GMT + - Thu, 06 Feb 2020 00:18:44 GMT expires: - '-1' pragma: @@ -40192,7 +41779,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40202,17 +41789,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using custom domains","policyType":"BuiltIn","mode":"All","description":"Use of custom domains protects a web application from common attacks such as phishing - and other DNS-related attacks.","metadata":{"category":"Security Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"}' + and other DNS-related attacks.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UsedCustomDomains","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a","type":"Microsoft.Authorization/policyDefinitions","name":"dd2ea520-6b06-45c3-806e-ea297c23e06a"}' headers: cache-control: - no-cache content-length: - - '1252' + - '1280' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:51 GMT + - Thu, 06 Feb 2020 00:18:45 GMT expires: - '-1' pragma: @@ -40243,7 +41831,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40260,7 +41848,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:49 GMT + - Thu, 06 Feb 2020 00:18:46 GMT expires: - '-1' pragma: @@ -40287,7 +41875,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40300,17 +41888,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - Policy Change''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesPolicyChange","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484","type":"Microsoft.Authorization/policyDefinitions","name":"dd4680ed-0559-4a6a-ad10-081d14cbb484"}' headers: cache-control: - no-cache content-length: - - '2675' + - '3259' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:50 GMT + - Thu, 06 Feb 2020 00:18:46 GMT expires: - '-1' pragma: @@ -40341,7 +41929,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40358,7 +41946,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:57 GMT + - Thu, 06 Feb 2020 00:18:47 GMT expires: - '-1' pragma: @@ -40385,7 +41973,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40398,17 +41986,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12","type":"Microsoft.Authorization/policyDefinitions","name":"ddb53c61-9db4-41d4-a953-2abff5b66c12"}' headers: cache-control: - no-cache content-length: - - '2673' + - '3257' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:58 GMT + - Thu, 06 Feb 2020 00:18:47 GMT expires: - '-1' pragma: @@ -40439,7 +42027,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40456,7 +42044,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:15:59 GMT + - Thu, 06 Feb 2020 00:18:48 GMT expires: - '-1' pragma: @@ -40483,39 +42071,45 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Recovery console''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Recovery console''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"Recovery - console: Allow floppy copy and access to all drives and all folders","description":"Specifies + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"String","metadata":{"displayName":"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders","description":"Specifies whether to make the Recovery Console SET command available, which allows setting - of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery + of recovery console environment variables."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsRecoveryconsole","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue'', - ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsRecoveryconsole"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery - console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue","value":"[parameters(''RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b","type":"Microsoft.Authorization/policyDefinitions","name":"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"}' headers: cache-control: - no-cache content-length: - - '5535' + - '7153' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:00 GMT + - Thu, 06 Feb 2020 00:18:48 GMT expires: - '-1' pragma: @@ -40546,7 +42140,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40563,7 +42157,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:03 GMT + - Thu, 06 Feb 2020 00:18:49 GMT expires: - '-1' pragma: @@ -40590,7 +42184,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40608,7 +42202,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:04 GMT + - Thu, 06 Feb 2020 00:18:49 GMT expires: - '-1' pragma: @@ -40639,7 +42233,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40656,7 +42250,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:06 GMT + - Thu, 06 Feb 2020 00:18:51 GMT expires: - '-1' pragma: @@ -40683,7 +42277,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40693,17 +42287,17 @@ interactions: string: '{"properties":{"displayName":"Cosmos DB should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Cosmos DB not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DocumentDB/databaseAccounts"},{"field":"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id","exists":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9","type":"Microsoft.Authorization/policyDefinitions","name":"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"}' headers: cache-control: - no-cache content-length: - - '897' + - '915' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:07 GMT + - Thu, 06 Feb 2020 00:18:51 GMT expires: - '-1' pragma: @@ -40734,7 +42328,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40751,7 +42345,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:09 GMT + - Thu, 06 Feb 2020 00:18:51 GMT expires: - '-1' pragma: @@ -40778,7 +42372,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40792,9 +42386,9 @@ interactions: execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ExecutionPolicy":{"type":"String","metadata":{"displayName":"PowerShell - Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', + Execution Policy","description":"The expected PowerShell execution policy."},"allowedValues":["AllSigned","Bypass","Default","RemoteSigned","Restricted","Undefined","Unrestricted"]}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy'', ''='', parameters(''ExecutionPolicy'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"WindowsPowerShellExecutionPolicy"},"ExecutionPolicy":{"value":"[parameters(''ExecutionPolicy'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ExecutionPolicy":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy","value":"[parameters(''ExecutionPolicy'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -40807,11 +42401,11 @@ interactions: cache-control: - no-cache content-length: - - '6229' + - '6640' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:10 GMT + - Thu, 06 Feb 2020 00:18:52 GMT expires: - '-1' pragma: @@ -40842,7 +42436,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40859,7 +42453,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:12 GMT + - Thu, 06 Feb 2020 00:18:52 GMT expires: - '-1' pragma: @@ -40886,7 +42480,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40896,17 +42490,18 @@ interactions: string: '{"properties":{"displayName":"Vulnerabilities in security configuration on your machines should be remediated","policyType":"BuiltIn","mode":"All","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security - Center as recommendations","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Center as recommendations","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"osVulnerabilities","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","type":"Microsoft.Authorization/policyDefinitions","name":"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"}' headers: cache-control: - no-cache content-length: - - '1104' + - '1122' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:13 GMT + - Thu, 06 Feb 2020 00:18:53 GMT expires: - '-1' pragma: @@ -40937,7 +42532,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40954,7 +42549,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:16 GMT + - Thu, 06 Feb 2020 00:18:54 GMT expires: - '-1' pragma: @@ -40981,7 +42576,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -40993,17 +42588,17 @@ interactions: newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer - version.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + version.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.http20Enabled","equals":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c","type":"Microsoft.Authorization/policyDefinitions","name":"e2c1c086-2d84-4019-bff3-c44ccd95113c"}' headers: cache-control: - no-cache content-length: - - '1190' + - '1208' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:17 GMT + - Thu, 06 Feb 2020 00:18:54 GMT expires: - '-1' pragma: @@ -41034,7 +42629,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41051,7 +42646,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:19 GMT + - Thu, 06 Feb 2020 00:18:55 GMT expires: - '-1' pragma: @@ -41078,7 +42673,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41089,7 +42684,7 @@ interactions: in VMSS - VM Image (OS) unlisted","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time - as support is updated.","metadata":{"category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: + as support is updated.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"listOfImageIdToInclude_windows":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Windows OS to add to scope","description":"Example value: ''/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage''"},"defaultValue":[]},"listOfImageIdToInclude_linux":{"type":"Array","metadata":{"displayName":"Optional: List of VM images that have supported Linux OS to add to scope","description":"Example @@ -41098,11 +42693,11 @@ interactions: cache-control: - no-cache content-length: - - '5770' + - '5796' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:21 GMT + - Thu, 06 Feb 2020 00:18:55 GMT expires: - '-1' pragma: @@ -41133,7 +42728,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41150,7 +42745,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:22 GMT + - Thu, 06 Feb 2020 00:18:57 GMT expires: - '-1' pragma: @@ -41177,7 +42772,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41186,17 +42781,17 @@ interactions: body: string: '{"properties":{"displayName":"Azure VPN gateways should not use ''basic'' SKU","policyType":"BuiltIn","mode":"All","description":"This policy ensures - that VPN gateways do not use ''basic'' SKU.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + that VPN gateways do not use ''basic'' SKU.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/virtualNetworkGateways"},{"field":"Microsoft.Network/virtualNetworkGateways/gatewayType","equals":"Vpn"},{"field":"Microsoft.Network/virtualNetworkGateways/sku.tier","equals":"Basic"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78","type":"Microsoft.Authorization/policyDefinitions","name":"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"}' headers: cache-control: - no-cache content-length: - - '923' + - '941' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:24 GMT + - Thu, 06 Feb 2020 00:18:57 GMT expires: - '-1' pragma: @@ -41227,7 +42822,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41244,7 +42839,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:26 GMT + - Thu, 06 Feb 2020 00:18:58 GMT expires: - '-1' pragma: @@ -41271,7 +42866,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41281,18 +42876,18 @@ interactions: string: '{"properties":{"displayName":"MFA should be enabled on accounts with read permissions on your subscription","policyType":"BuiltIn","mode":"All","description":"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with - read privileges to prevent a breach of accounts or resources.","metadata":{"category":"Security + read privileges to prevent a breach of accounts or resources.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"EnableMFAForReadPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64","type":"Microsoft.Authorization/policyDefinitions","name":"e3576e28-8b17-4677-84c3-db2990658d64"}' headers: cache-control: - no-cache content-length: - - '1104' + - '1122' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:27 GMT + - Thu, 06 Feb 2020 00:18:58 GMT expires: - '-1' pragma: @@ -41323,7 +42918,111 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''e372f825-a257-4fb8-9175-797a8a8627d6'' could not be found."}}' + headers: + cache-control: + - no-cache + content-length: + - '138' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:18:59 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"RDP access from the Internet should be + blocked","policyType":"BuiltIn","mode":"All","description":"This policy audits + any network security rule that allows RDP access from Internet","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups/securityRules"},{"allOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/access","equals":"Allow"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/direction","equals":"Inbound"},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","equals":"3389"},{"value":"[if(and(not(empty(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''))), + contains(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''),''-'')), + contains(range(int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))), sub(add(int(last(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))),1), int(first(split(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange''), + ''-''))))),3389), ''false'')]","equals":"true"},{"count":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where":{"value":"[if(and(not(empty(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')))), + contains(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')),''-'')), + contains(range(int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))), sub(add(int(last(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))),1), int(first(split(first(field(''Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'')), + ''-''))))),3389), ''false'')]","equals":"true"}},"greater":0},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals":"3389"}}]},{"anyOf":[{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"*"},{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","equals":"Internet"},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"*"}},{"not":{"field":"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]","notEquals":"Internet"}}]}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6","type":"Microsoft.Authorization/policyDefinitions","name":"e372f825-a257-4fb8-9175-797a8a8627d6"}' + headers: + cache-control: + - no-cache + content-length: + - '3297' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:18:59 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41340,7 +43039,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:29 GMT + - Thu, 06 Feb 2020 00:19:00 GMT expires: - '-1' pragma: @@ -41367,7 +43066,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41380,17 +43079,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Shutdown''. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsShutdown","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03","type":"Microsoft.Authorization/policyDefinitions","name":"e3a77a94-cf41-4ee8-b45c-98be28841c03"}' headers: cache-control: - no-cache content-length: - - '2647' + - '3231' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:30 GMT + - Thu, 06 Feb 2020 00:19:00 GMT expires: - '-1' pragma: @@ -41421,7 +43120,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41438,7 +43137,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:32 GMT + - Thu, 06 Feb 2020 00:19:02 GMT expires: - '-1' pragma: @@ -41465,58 +43164,68 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Settings - Account Policies''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Settings - Account Policies''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"Enforce - password history","description":"Specifies limits on password reuse - how - many times a new password must be created for a user account before the password - can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"Maximum - password age","description":"Specifies the maximum number of days that may - elapse before a user account password must be changed. The format of the value - is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"Minimum - password age","description":"Specifies the minimum number of days that must - elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"Minimum - password length","description":"Specifies the minimum number of characters - that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"Password - must meet complexity requirements","description":"Specifies whether a user - account password must be complex. If required, a complex password must not - contain part of user''s account name or full name; be at least 6 characters - long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"EnforcePasswordHistory":{"type":"String","metadata":{"displayName":"[Preview]: + Enforce password history","description":"Specifies limits on password reuse + - how many times a new password must be created for a user account before + the password can be repeated."},"defaultValue":"24"},"MaximumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Maximum password age","description":"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range."},"defaultValue":"1,70"},"MinimumPasswordAge":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password age","description":"Specifies the minimum number of days + that must elapse before a user account password can be changed."},"defaultValue":"1"},"MinimumPasswordLength":{"type":"String","metadata":{"displayName":"[Preview]: + Minimum password length","description":"Specifies the minimum number of characters + that a user account password may contain."},"defaultValue":"14"},"PasswordMustMeetComplexityRequirements":{"type":"String","metadata":{"displayName":"[Preview]: + Password must meet complexity requirements","description":"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user''s account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecuritySettingsAccountPolicies","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Enforce password history;ExpectedValue'', ''='', parameters(''EnforcePasswordHistory''), '','', ''Maximum password age;ExpectedValue'', ''='', parameters(''MaximumPasswordAge''), '','', ''Minimum password age;ExpectedValue'', ''='', parameters(''MinimumPasswordAge''), '','', ''Minimum password length;ExpectedValue'', ''='', parameters(''MinimumPasswordLength''), '','', ''Password must meet complexity requirements;ExpectedValue'', ''='', - parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + parameters(''PasswordMustMeetComplexityRequirements'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecuritySettingsAccountPolicies"},"EnforcePasswordHistory":{"value":"[parameters(''EnforcePasswordHistory'')]"},"MaximumPasswordAge":{"value":"[parameters(''MaximumPasswordAge'')]"},"MinimumPasswordAge":{"value":"[parameters(''MinimumPasswordAge'')]"},"MinimumPasswordLength":{"value":"[parameters(''MinimumPasswordLength'')]"},"PasswordMustMeetComplexityRequirements":{"value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"EnforcePasswordHistory":{"type":"string"},"MaximumPasswordAge":{"type":"string"},"MinimumPasswordAge":{"type":"string"},"MinimumPasswordLength":{"type":"string"},"PasswordMustMeetComplexityRequirements":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce + password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum + password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum + password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum + password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Enforce password history;ExpectedValue","value":"[parameters(''EnforcePasswordHistory'')]"},{"name":"Maximum password age;ExpectedValue","value":"[parameters(''MaximumPasswordAge'')]"},{"name":"Minimum password age;ExpectedValue","value":"[parameters(''MinimumPasswordAge'')]"},{"name":"Minimum password length;ExpectedValue","value":"[parameters(''MinimumPasswordLength'')]"},{"name":"Password - must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + must meet complexity requirements;ExpectedValue","value":"[parameters(''PasswordMustMeetComplexityRequirements'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c","type":"Microsoft.Authorization/policyDefinitions","name":"e3d95ab7-f47a-49d8-a347-784177b6c94c"}' headers: cache-control: - no-cache content-length: - - '7614' + - '9595' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:33 GMT + - Thu, 06 Feb 2020 00:19:02 GMT expires: - '-1' pragma: @@ -41547,7 +43256,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41564,7 +43273,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:35 GMT + - Thu, 06 Feb 2020 00:19:02 GMT expires: - '-1' pragma: @@ -41591,30 +43300,30 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - User Account Control''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - User Account Control''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"UAC: - Admin Approval Mode for the Built-in Administrator account","description":"Specifies - the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Behavior of the elevation prompt for administrators in Admin Approval Mode","description":"Specifies - the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"UAC: - Detect application installations and prompt for elevation","description":"Specifies - the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"UAC: - Run all administrators in Admin Approval Mode","description":"Specifies the - behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account","description":"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account."},"defaultValue":"1"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode","description":"Specifies the behavior of the elevation prompt for administrators."},"defaultValue":"2"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Detect application installations and prompt for elevation","description":"Specifies + the behavior of application installation detection for the computer."},"defaultValue":"1"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"String","metadata":{"displayName":"[Preview]: + UAC: Run all administrators in Admin Approval Mode","description":"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer."},"defaultValue":"1"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsUserAccountControl","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue'', ''='', parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount''), '','', ''User Account Control: Behavior of the elevation prompt for administrators @@ -41622,23 +43331,33 @@ interactions: '','', ''User Account Control: Detect application installations and prompt for elevation;ExpectedValue'', ''='', parameters(''UACDetectApplicationInstallationsAndPromptForElevation''), '','', ''User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue'', - ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''UACRunAllAdministratorsInAdminApprovalMode'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsUserAccountControl"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},"UACDetectApplicationInstallationsAndPromptForElevation":{"value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},"UACRunAllAdministratorsInAdminApprovalMode":{"value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"UACAdminApprovalModeForTheBuiltinAdministratorAccount":{"type":"string"},"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode":{"type":"string"},"UACDetectApplicationInstallationsAndPromptForElevation":{"type":"string"},"UACRunAllAdministratorsInAdminApprovalMode":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue","value":"[parameters(''UACAdminApprovalModeForTheBuiltinAdministratorAccount'')]"},{"name":"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'')]"},{"name":"User Account Control: Detect application installations and prompt for elevation;ExpectedValue","value":"[parameters(''UACDetectApplicationInstallationsAndPromptForElevation'')]"},{"name":"User - Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue","value":"[parameters(''UACRunAllAdministratorsInAdminApprovalMode'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc","type":"Microsoft.Authorization/policyDefinitions","name":"e425e402-a050-45e5-b010-bd3f934589fc"}' headers: cache-control: - no-cache content-length: - - '8034' + - '10243' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:36 GMT + - Thu, 06 Feb 2020 00:19:03 GMT expires: - '-1' pragma: @@ -41669,7 +43388,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41686,7 +43405,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:39 GMT + - Thu, 06 Feb 2020 00:19:03 GMT expires: - '-1' pragma: @@ -41713,7 +43432,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41724,18 +43443,18 @@ interactions: policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and - resources that use the ''global'' region.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resources that use the ''global'' region.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that can be specified when deploying resources.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"},{"field":"location","notEquals":"global"},{"field":"type","notEquals":"Microsoft.AzureActiveDirectory/b2cDirectories"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c","type":"Microsoft.Authorization/policyDefinitions","name":"e56962a6-4747-49cd-b67b-bf8b01975c4c"}' headers: cache-control: - no-cache content-length: - - '1066' + - '1084' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:40 GMT + - Thu, 06 Feb 2020 00:19:04 GMT expires: - '-1' pragma: @@ -41766,7 +43485,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41783,7 +43502,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:42 GMT + - Thu, 06 Feb 2020 00:19:05 GMT expires: - '-1' pragma: @@ -41810,37 +43529,43 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Accounts''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Accounts''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"Accounts: - Guest account status","description":"Specifies whether the local Guest account - is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: - Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AccountsGuestAccountStatus":{"type":"String","metadata":{"displayName":"[Preview]: + Accounts: Guest account status","description":"Specifies whether the local + Guest account is disabled."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsAccounts","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Accounts: + Guest account status;ExpectedValue'', ''='', parameters(''AccountsGuestAccountStatus'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsAccounts"},"AccountsGuestAccountStatus":{"value":"[parameters(''AccountsGuestAccountStatus'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AccountsGuestAccountStatus":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Accounts: - Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Guest account status;ExpectedValue","value":"[parameters(''AccountsGuestAccountStatus'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3","type":"Microsoft.Authorization/policyDefinitions","name":"e5b81f87-9185-4224-bf00-9f505e9f89f3"}' headers: cache-control: - no-cache content-length: - - '5066' + - '6601' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:43 GMT + - Thu, 06 Feb 2020 00:19:05 GMT expires: - '-1' pragma: @@ -41871,7 +43596,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41888,7 +43613,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:45 GMT + - Thu, 06 Feb 2020 00:19:06 GMT expires: - '-1' pragma: @@ -41915,7 +43640,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41925,18 +43650,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework","policyType":"BuiltIn","mode":"All","description":"Use the latest supported Node.js version for the latest security classes. Using - older classes and types can make your application vulnerable.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"}' + older classes and types can make your application vulnerable.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"UseLatestNodeJS","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008","type":"Microsoft.Authorization/policyDefinitions","name":"e67687e8-08d5-4e7f-8226-5b4753bba008"}' headers: cache-control: - no-cache content-length: - - '1228' + - '1256' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:46 GMT + - Thu, 06 Feb 2020 00:19:07 GMT expires: - '-1' pragma: @@ -41967,7 +43692,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -41984,7 +43709,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:48 GMT + - Thu, 06 Feb 2020 00:19:07 GMT expires: - '-1' pragma: @@ -42011,7 +43736,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42022,18 +43747,18 @@ interactions: Security Group","policyType":"BuiltIn","mode":"All","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your subnet.","metadata":{"category":"Security + that allow or deny network traffic to your subnet.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks/subnets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnSubnets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517","type":"Microsoft.Authorization/policyDefinitions","name":"e71308d3-144b-4262-b144-efdc3cc90517"}' headers: cache-control: - no-cache content-length: - - '1162' + - '1180' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:50 GMT + - Thu, 06 Feb 2020 00:19:08 GMT expires: - '-1' pragma: @@ -42064,7 +43789,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42081,7 +43806,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:52 GMT + - Thu, 06 Feb 2020 00:19:09 GMT expires: - '-1' pragma: @@ -42108,7 +43833,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42119,17 +43844,17 @@ interactions: be set to ''All'' in SQL server Advanced Data Security settings","policyType":"BuiltIn","mode":"Indexed","description":"It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, - and any other anomalous activities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and any other anomalous activities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/securityAlertPolicies","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]","equals":""}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad","type":"Microsoft.Authorization/policyDefinitions","name":"e756b945-1b1b-480b-8de8-9a0859d5f7ad"}' headers: cache-control: - no-cache content-length: - - '1137' + - '1155' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:53 GMT + - Thu, 06 Feb 2020 00:19:09 GMT expires: - '-1' pragma: @@ -42160,7 +43885,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42177,7 +43902,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:55 GMT + - Thu, 06 Feb 2020 00:19:09 GMT expires: - '-1' pragma: @@ -42204,7 +43929,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42213,18 +43938,18 @@ interactions: body: string: '{"properties":{"displayName":"Allowed locations for resource groups","policyType":"BuiltIn","mode":"All","description":"This policy enables you to restrict the locations your organization can create - resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The + resource groups in. Use to enforce your geo-compliance requirements.","metadata":{"version":"1.0.0","category":"General"},"parameters":{"listOfAllowedLocations":{"type":"Array","metadata":{"description":"The list of locations that resource groups can be created in.","strongType":"location","displayName":"Allowed locations"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Resources/subscriptions/resourceGroups"},{"field":"location","notIn":"[parameters(''listOfAllowedLocations'')]"}]},"then":{"effect":"deny"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988","type":"Microsoft.Authorization/policyDefinitions","name":"e765b5de-1225-4ba3-bd56-1ac6695af988"}' headers: cache-control: - no-cache content-length: - - '908' + - '926' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:56 GMT + - Thu, 06 Feb 2020 00:19:10 GMT expires: - '-1' pragma: @@ -42255,7 +43980,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42272,7 +43997,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:16:58 GMT + - Thu, 06 Feb 2020 00:19:12 GMT expires: - '-1' pragma: @@ -42299,7 +44024,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42309,18 +44034,18 @@ interactions: string: '{"properties":{"displayName":"[Deprecated]: Audit Web Sockets state for a Web Application","policyType":"BuiltIn","mode":"All","description":"The Web Sockets protocol is vulnerable to different types of security threats. - Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"category":"Security - Center","preview":true,"deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"}' + Use of Web Sockets within a web application must be carefully reviewed.","metadata":{"version":"1.0.0-deprecated","category":"Security + Center","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Deprecated]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.Web/sites"},{"anyOf":[{"field":"kind","equals":"app"},{"field":"kind","equals":"WebApp"},{"field":"kind","equals":"app,linux"},{"field":"kind","equals":"app,linux,container"}]}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"DisableWebSockets","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e","type":"Microsoft.Authorization/policyDefinitions","name":"e797f851-8be7-4c40-bb56-2e3395215b0e"}' headers: cache-control: - no-cache content-length: - - '1275' + - '1303' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:00 GMT + - Thu, 06 Feb 2020 00:19:12 GMT expires: - '-1' pragma: @@ -42351,7 +44076,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42368,7 +44093,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:01 GMT + - Thu, 06 Feb 2020 00:19:12 GMT expires: - '-1' pragma: @@ -42395,7 +44120,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42409,17 +44134,17 @@ interactions: to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ''man in the middle'' attacks by encrypting the data stream between the server - and your application.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + and your application.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d","type":"Microsoft.Authorization/policyDefinitions","name":"e802a67a-daf5-4436-9ea6-f6d821dd0c5d"}' headers: cache-control: - no-cache content-length: - - '1280' + - '1298' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:02 GMT + - Thu, 06 Feb 2020 00:19:13 GMT expires: - '-1' pragma: @@ -42450,7 +44175,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42467,7 +44192,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:05 GMT + - Thu, 06 Feb 2020 00:19:13 GMT expires: - '-1' pragma: @@ -42494,7 +44219,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42504,18 +44229,18 @@ interactions: string: '{"properties":{"displayName":"Vulnerabilities in container security configurations should be remediated","policyType":"BuiltIn","mode":"All","description":"Audit vulnerabilities in security configuration on machines with Docker installed - and display as recommendations in Azure Security Center.","metadata":{"category":"Security + and display as recommendations in Azure Security Center.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines","Microsoft.Compute/virtualMachineScaleSets"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"ContainerBenchmark","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933","type":"Microsoft.Authorization/policyDefinitions","name":"e8cbc669-f12d-49eb-93e7-9273119e9933"}' headers: cache-control: - no-cache content-length: - - '1167' + - '1185' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:07 GMT + - Thu, 06 Feb 2020 00:19:14 GMT expires: - '-1' pragma: @@ -42546,7 +44271,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42563,7 +44288,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:08 GMT + - Thu, 06 Feb 2020 00:19:15 GMT expires: - '-1' pragma: @@ -42590,7 +44315,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42601,7 +44326,7 @@ interactions: Storage Gen1 to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic - settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -42618,11 +44343,11 @@ interactions: cache-control: - no-cache content-length: - - '3825' + - '3843' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:10 GMT + - Thu, 06 Feb 2020 00:19:15 GMT expires: - '-1' pragma: @@ -42653,7 +44378,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42670,7 +44395,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:12 GMT + - Thu, 06 Feb 2020 00:19:16 GMT expires: - '-1' pragma: @@ -42697,7 +44422,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42707,17 +44432,17 @@ interactions: string: '{"properties":{"displayName":"Remote debugging should be turned off for API Apps","policyType":"BuiltIn","mode":"Indexed","description":"Remote debugging requires inbound ports to be opened on an API apps. Remote debugging - should be turned off.","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","existenceCondition":{"field":"Microsoft.Web/sites/config/web.remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"}' + should be turned off.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"*api"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/remoteDebuggingEnabled","equals":"false"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e","type":"Microsoft.Authorization/policyDefinitions","name":"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"}' headers: cache-control: - no-cache content-length: - - '1007' + - '1034' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:13 GMT + - Thu, 06 Feb 2020 00:19:16 GMT expires: - '-1' pragma: @@ -42748,7 +44473,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42765,7 +44490,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:15 GMT + - Thu, 06 Feb 2020 00:19:18 GMT expires: - '-1' pragma: @@ -42792,7 +44517,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42804,7 +44529,7 @@ interactions: specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value - it will not be changed.","metadata":{"category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag + it will not be changed.","metadata":{"version":"1.0.0","category":"Tags"},"parameters":{"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag, such as ''environment''"}}},"policyRule":{"if":{"allOf":[{"field":"[concat(''tags['', parameters(''tagName''), '']'')]","exists":"false"},{"value":"[resourceGroup().tags[parameters(''tagName'')]]","notEquals":""}]},"then":{"effect":"modify","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"operations":[{"operation":"add","field":"[concat(''tags['', parameters(''tagName''), '']'')]","value":"[resourceGroup().tags[parameters(''tagName'')]]"}]}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070","type":"Microsoft.Authorization/policyDefinitions","name":"ea3f2387-9b95-492a-a190-fcdc54f7b070"}' @@ -42812,11 +44537,11 @@ interactions: cache-control: - no-cache content-length: - - '1239' + - '1257' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:16 GMT + - Thu, 06 Feb 2020 00:19:18 GMT expires: - '-1' pragma: @@ -42847,7 +44572,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42864,7 +44589,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:19 GMT + - Thu, 06 Feb 2020 00:19:19 GMT expires: - '-1' pragma: @@ -42891,7 +44616,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42901,17 +44626,17 @@ interactions: string: '{"properties":{"displayName":"Key Vault should use a virtual network service endpoint","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Key Vault not configured to use a virtual network service - endpoint.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + endpoint.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.KeyVault/vaults"},{"anyOf":[{"field":"Microsoft.KeyVault/vaults/networkAcls.defaultAction","notEquals":"Deny"},{"field":"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id","exists":"false"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f","type":"Microsoft.Authorization/policyDefinitions","name":"ea4d6841-2173-4317-9747-ff522a45120f"}' headers: cache-control: - no-cache content-length: - - '980' + - '998' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:20 GMT + - Thu, 06 Feb 2020 00:19:19 GMT expires: - '-1' pragma: @@ -42942,7 +44667,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42959,7 +44684,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:21 GMT + - Thu, 06 Feb 2020 00:19:20 GMT expires: - '-1' pragma: @@ -42986,7 +44711,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -42996,18 +44721,18 @@ interactions: string: '{"properties":{"displayName":"Ensure Function app has ''Client Certificates (Incoming client certificates)'' set to ''On''","policyType":"BuiltIn","mode":"Indexed","description":"Client certificates allow for the app to request a certificate for incoming requests. - Only clients that have a valid certificate will be able to reach the app.","metadata":{"category":"App + Only clients that have a valid certificate will be able to reach the app.","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"},{"field":"Microsoft.Web/sites/clientCertEnabled","equals":"false"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c","type":"Microsoft.Authorization/policyDefinitions","name":"eaebaea7-8013-4ceb-9d14-7eb32271373c"}' headers: cache-control: - no-cache content-length: - - '998' + - '1016' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:23 GMT + - Thu, 06 Feb 2020 00:19:20 GMT expires: - '-1' pragma: @@ -43038,7 +44763,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43055,7 +44780,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:26 GMT + - Thu, 06 Feb 2020 00:19:21 GMT expires: - '-1' pragma: @@ -43082,7 +44807,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43092,17 +44817,17 @@ interactions: string: '{"properties":{"displayName":"Log checkpoints should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_checkpoints - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_checkpoints","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"}' headers: cache-control: - no-cache content-length: - - '1032' + - '1050' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:27 GMT + - Thu, 06 Feb 2020 00:19:21 GMT expires: - '-1' pragma: @@ -43133,7 +44858,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43150,7 +44875,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:29 GMT + - Thu, 06 Feb 2020 00:19:22 GMT expires: - '-1' pragma: @@ -43177,7 +44902,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43187,17 +44912,17 @@ interactions: string: '{"properties":{"displayName":"Log connections should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_connections - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_connections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"}' headers: cache-control: - no-cache content-length: - - '1032' + - '1050' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:31 GMT + - Thu, 06 Feb 2020 00:19:22 GMT expires: - '-1' pragma: @@ -43228,7 +44953,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43245,7 +44970,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:33 GMT + - Thu, 06 Feb 2020 00:19:24 GMT expires: - '-1' pragma: @@ -43272,7 +44997,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43282,17 +45007,17 @@ interactions: string: '{"properties":{"displayName":"Disconnections should be logged for PostgreSQL database servers.","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_disconnections - enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_disconnections","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"}' headers: cache-control: - no-cache content-length: - - '1029' + - '1047' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:35 GMT + - Thu, 06 Feb 2020 00:19:24 GMT expires: - '-1' pragma: @@ -43323,7 +45048,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43340,7 +45065,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:37 GMT + - Thu, 06 Feb 2020 00:19:25 GMT expires: - '-1' pragma: @@ -43367,7 +45092,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43377,17 +45102,17 @@ interactions: string: '{"properties":{"displayName":"Log duration should be enabled for PostgreSQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy helps audit any PostgreSQL databases in your environment without log_duration - setting enabled.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + setting enabled.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforPostgreSQL/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.DBforPostgreSQL/servers/configurations","name":"log_duration","existenceCondition":{"field":"Microsoft.DBforPostgreSQL/servers/configurations/value","equals":"ON"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3","type":"Microsoft.Authorization/policyDefinitions","name":"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"}' headers: cache-control: - no-cache content-length: - - '1023' + - '1041' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:39 GMT + - Thu, 06 Feb 2020 00:19:26 GMT expires: - '-1' pragma: @@ -43418,7 +45143,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43435,7 +45160,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:41 GMT + - Thu, 06 Feb 2020 00:19:31 GMT expires: - '-1' pragma: @@ -43462,7 +45187,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43472,18 +45197,18 @@ interactions: string: '{"properties":{"displayName":"Deprecated accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"Deprecated accounts with owner permissions should be removed from your subscription. Deprecated - accounts are accounts that have been blocked from signing in.","metadata":{"category":"Security + accounts are accounts that have been blocked from signing in.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveDeprecatedAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad","type":"Microsoft.Authorization/policyDefinitions","name":"ebb62a0c-3560-49e1-89ed-27e074e9f8ad"}' headers: cache-control: - no-cache content-length: - - '1138' + - '1156' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:42 GMT + - Thu, 06 Feb 2020 00:19:32 GMT expires: - '-1' pragma: @@ -43514,7 +45239,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43531,7 +45256,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:45 GMT + - Thu, 06 Feb 2020 00:19:33 GMT expires: - '-1' pragma: @@ -43558,7 +45283,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43572,8 +45297,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid110","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid110"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -43585,11 +45310,11 @@ interactions: cache-control: - no-cache content-length: - - '5710' + - '6181' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:46 GMT + - Thu, 06 Feb 2020 00:19:33 GMT expires: - '-1' pragma: @@ -43620,7 +45345,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43637,7 +45362,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:48 GMT + - Thu, 06 Feb 2020 00:19:34 GMT expires: - '-1' pragma: @@ -43664,33 +45389,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Administrative Templates - Control Panel''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Administrative Templates - Control Panel''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more - information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdministrativeTemplatesControlPanel","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdministrativeTemplatesControlPanel"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d","type":"Microsoft.Authorization/policyDefinitions","name":"ec7ac234-2af5-4729-94d2-c557c071799d"}' headers: cache-control: - no-cache content-length: - - '4408' + - '5796' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:49 GMT + - Thu, 06 Feb 2020 00:19:34 GMT expires: - '-1' pragma: @@ -43721,7 +45451,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43738,7 +45468,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:51 GMT + - Thu, 06 Feb 2020 00:19:35 GMT expires: - '-1' pragma: @@ -43765,7 +45495,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43775,7 +45505,7 @@ interactions: string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Key Vault to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when - any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"category":"Key + any Key Vault which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Key Vault"},"parameters":{"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -43793,11 +45523,11 @@ interactions: cache-control: - no-cache content-length: - - '3571' + - '3589' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:52 GMT + - Thu, 06 Feb 2020 00:19:35 GMT expires: - '-1' pragma: @@ -43828,7 +45558,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43845,7 +45575,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:54 GMT + - Thu, 06 Feb 2020 00:19:37 GMT expires: - '-1' pragma: @@ -43872,7 +45602,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43883,7 +45613,7 @@ interactions: Analytics to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is - created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -43900,11 +45630,11 @@ interactions: cache-control: - no-cache content-length: - - '3826' + - '3844' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:56 GMT + - Thu, 06 Feb 2020 00:19:37 GMT expires: - '-1' pragma: @@ -43935,7 +45665,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43952,7 +45682,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:17:58 GMT + - Thu, 06 Feb 2020 00:19:38 GMT expires: - '-1' pragma: @@ -43979,7 +45709,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -43990,17 +45720,17 @@ interactions: on your SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate - potential database vulnerabilities.","metadata":{"category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + potential database vulnerabilities.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Sql/servers"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Sql/servers/vulnerabilityAssessments","name":"default","existenceCondition":{"field":"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled","equals":"True"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","type":"Microsoft.Authorization/policyDefinitions","name":"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"}' headers: cache-control: - no-cache content-length: - - '1113' + - '1131' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:00 GMT + - Thu, 06 Feb 2020 00:19:38 GMT expires: - '-1' pragma: @@ -44031,7 +45761,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44048,7 +45778,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:02 GMT + - Thu, 06 Feb 2020 00:19:39 GMT expires: - '-1' pragma: @@ -44075,7 +45805,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44085,7 +45815,7 @@ interactions: string: '{"properties":{"displayName":"Deploy Diagnostic Settings for Event Hub to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when - any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + any Event Hub which is missing this diagnostic settings is created or updated.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_eventHub"},"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule @@ -44102,11 +45832,11 @@ interactions: cache-control: - no-cache content-length: - - '4103' + - '4121' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:03 GMT + - Thu, 06 Feb 2020 00:19:39 GMT expires: - '-1' pragma: @@ -44137,7 +45867,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44154,7 +45884,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:05 GMT + - Thu, 06 Feb 2020 00:19:40 GMT expires: - '-1' pragma: @@ -44181,7 +45911,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44191,17 +45921,17 @@ interactions: string: '{"properties":{"displayName":"The Log Analytics agent should be installed on Virtual Machine Scale Sets","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics - agent is not installed.","metadata":{"category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + agent is not installed.","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachineScaleSets"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Compute/virtualMachineScaleSets/extensions","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/type","in":["MicrosoftMonitoringAgent","OmsAgentForLinux"]},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState","equals":"Succeeded"},{"field":"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId","exists":"true"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf","type":"Microsoft.Authorization/policyDefinitions","name":"efbde977-ba53-4479-b8e9-10b957924fbf"}' headers: cache-control: - no-cache content-length: - - '1416' + - '1434' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:06 GMT + - Thu, 06 Feb 2020 00:19:40 GMT expires: - '-1' pragma: @@ -44232,7 +45962,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44249,7 +45979,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:08 GMT + - Thu, 06 Feb 2020 00:19:41 GMT expires: - '-1' pragma: @@ -44276,7 +46006,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44288,18 +46018,18 @@ interactions: service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other - Azure services securely without the need of username and passwords","metadata":{"category":"App + Azure services securely without the need of username and passwords","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/web.managedServiceIdentityId","exists":"true"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8","type":"Microsoft.Authorization/policyDefinitions","name":"f0473e7a-a1ba-4e86-afb2-e829e11b01d8"}' headers: cache-control: - no-cache content-length: - - '1258' + - '1276' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:10 GMT + - Thu, 06 Feb 2020 00:19:41 GMT expires: - '-1' pragma: @@ -44330,7 +46060,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44347,7 +46077,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:12 GMT + - Thu, 06 Feb 2020 00:19:43 GMT expires: - '-1' pragma: @@ -44374,7 +46104,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44388,11 +46118,11 @@ interactions: managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application + https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"ApplicationName":{"type":"String","metadata":{"displayName":"Application names (supports wildcards)","description":"A semicolon-separated list of the names of the applications that should not be installed. e.g. ''Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code'' or ''Microsoft SQL Server - 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', + 2014*'' (to match any application starting with ''Microsoft SQL Server 2014'')"}}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"NotInstalledApplication","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[InstalledApplication]NotInstalledApplicationResource1;Name'', ''='', parameters(''ApplicationName'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"NotInstalledApplication"},"ApplicationName":{"value":"[parameters(''ApplicationName'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"ApplicationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[InstalledApplication]NotInstalledApplicationResource1;Name","value":"[parameters(''ApplicationName'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -44405,11 +46135,11 @@ interactions: cache-control: - no-cache content-length: - - '6244' + - '6655' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:13 GMT + - Thu, 06 Feb 2020 00:19:43 GMT expires: - '-1' pragma: @@ -44440,7 +46170,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44457,7 +46187,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:16 GMT + - Thu, 06 Feb 2020 00:19:44 GMT expires: - '-1' pragma: @@ -44484,7 +46214,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44493,17 +46223,17 @@ interactions: body: string: '{"properties":{"displayName":"Latest TLS version should be used in your Web App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"app*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","type":"Microsoft.Authorization/policyDefinitions","name":"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"}' headers: cache-control: - no-cache content-length: - - '930' + - '948' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:17 GMT + - Thu, 06 Feb 2020 00:19:44 GMT expires: - '-1' pragma: @@ -44534,7 +46264,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44551,7 +46281,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:20 GMT + - Thu, 06 Feb 2020 00:19:45 GMT expires: - '-1' pragma: @@ -44578,7 +46308,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44588,7 +46318,7 @@ interactions: string: '{"properties":{"displayName":"Virtual networks should use specified virtual network gateway","policyType":"BuiltIn","mode":"Indexed","description":"This policy audits any virtual network if the default route does not point to the - specified virtual network gateway.","metadata":{"category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + specified virtual network gateway.","metadata":{"version":"1.0.0","category":"Network"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"virtualNetworkGatewayId":{"type":"String","metadata":{"displayName":"Virtual network gateway Id","description":"Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Network/virtualNetworks"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Network/virtualNetworks/subnets","name":"GatewaySubnet","existenceCondition":{"not":{"field":"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id","notContains":"[concat(parameters(''virtualNetworkGatewayId''), @@ -44597,11 +46327,11 @@ interactions: cache-control: - no-cache content-length: - - '1395' + - '1413' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:21 GMT + - Thu, 06 Feb 2020 00:19:45 GMT expires: - '-1' pragma: @@ -44632,7 +46362,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44649,7 +46379,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:23 GMT + - Thu, 06 Feb 2020 00:19:47 GMT expires: - '-1' pragma: @@ -44676,7 +46406,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44690,8 +46420,8 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.1.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordPolicy_msid121","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"PasswordPolicy_msid121"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), @@ -44703,11 +46433,11 @@ interactions: cache-control: - no-cache content-length: - - '5700' + - '6171' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:24 GMT + - Thu, 06 Feb 2020 00:19:47 GMT expires: - '-1' pragma: @@ -44738,7 +46468,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44755,7 +46485,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:26 GMT + - Thu, 06 Feb 2020 00:19:48 GMT expires: - '-1' pragma: @@ -44782,33 +46512,38 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Adminstrative Templates - MSS (Legacy)''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Adminstrative Templates - MSS (Legacy)''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), - ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.1-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_AdminstrativeTemplatesMSSLegacy","deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_AdminstrativeTemplatesMSSLegacy"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*"}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d","type":"Microsoft.Authorization/policyDefinitions","name":"f1f4825d-58fb-4257-8016-8c00e3c9ed9d"}' headers: cache-control: - no-cache content-length: - - '4396' + - '5784' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:28 GMT + - Thu, 06 Feb 2020 00:19:48 GMT expires: - '-1' pragma: @@ -44839,7 +46574,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44856,7 +46591,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:31 GMT + - Thu, 06 Feb 2020 00:19:49 GMT expires: - '-1' pragma: @@ -44883,7 +46618,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44896,17 +46631,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"}' + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AdministratorsGroupMembersToInclude","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a","type":"Microsoft.Authorization/policyDefinitions","name":"f3b44e5d-1456-475f-9c67-c66c4618e85a"}' headers: cache-control: - no-cache content-length: - - '2812' + - '3223' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:32 GMT + - Thu, 06 Feb 2020 00:19:50 GMT expires: - '-1' pragma: @@ -44937,7 +46672,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44954,7 +46689,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:33 GMT + - Thu, 06 Feb 2020 00:19:51 GMT expires: - '-1' pragma: @@ -44981,7 +46716,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -44994,17 +46729,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). - For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}' + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsCertificateInTrustedRoot","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f","type":"Microsoft.Authorization/policyDefinitions","name":"f3b9ad83-000d-4dc1-bff0-6d54533dd03f"}' headers: cache-control: - no-cache content-length: - - '2848' + - '3282' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:35 GMT + - Thu, 06 Feb 2020 00:19:51 GMT expires: - '-1' pragma: @@ -45035,7 +46770,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45052,7 +46787,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:37 GMT + - Thu, 06 Feb 2020 00:19:51 GMT expires: - '-1' pragma: @@ -45079,7 +46814,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45089,7 +46824,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch","policyType":"BuiltIn","mode":"Indexed","description":"Reports VMs as non-compliant if they not logging to the LA workspace specified in - the policy/initiative assignment.","metadata":{"category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log + the policy/initiative assignment.","metadata":{"version":"1.0.0-preview","category":"Monitoring"},"parameters":{"logAnalyticsWorkspaceId":{"type":"String","metadata":{"displayName":"Log Analytics Workspace Id that VMs should be configured for","description":"This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines/extensions"},{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId","notEquals":"[parameters(''logAnalyticsWorkspaceId'')]"}]},"then":{"effect":"audit"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917","type":"Microsoft.Authorization/policyDefinitions","name":"f47b5582-33ec-4c5c-87c0-b010a6b2e917"}' @@ -45097,11 +46832,11 @@ interactions: cache-control: - no-cache content-length: - - '1136' + - '1162' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:39 GMT + - Thu, 06 Feb 2020 00:19:52 GMT expires: - '-1' pragma: @@ -45132,7 +46867,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45149,7 +46884,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:41 GMT + - Thu, 06 Feb 2020 00:19:53 GMT expires: - '-1' pragma: @@ -45176,7 +46911,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45186,17 +46921,17 @@ interactions: string: '{"properties":{"displayName":"Authorization rules on the Event Hub instance should be defined","policyType":"BuiltIn","mode":"All","description":"Audit existence of authorization rules on Event Hub entities to grant least-privileged - access","metadata":{"category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + access","metadata":{"version":"1.0.0","category":"Event Hub"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.EventHub/namespaces/eventhubs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.EventHub/namespaces/eventHubs/authorizationRules"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d","type":"Microsoft.Authorization/policyDefinitions","name":"f4826e5f-6a27-407c-ae3e-9582eb39891d"}' headers: cache-control: - no-cache content-length: - - '905' + - '923' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:42 GMT + - Thu, 06 Feb 2020 00:19:53 GMT expires: - '-1' pragma: @@ -45227,7 +46962,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45244,7 +46979,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:44 GMT + - Thu, 06 Feb 2020 00:19:55 GMT expires: - '-1' pragma: @@ -45271,7 +47006,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45284,16 +47019,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please - visit https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"}' + visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"PasswordMustMeetComplexityRequirements","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb","type":"Microsoft.Authorization/policyDefinitions","name":"f48b2913-1dc5-4834-8c72-ccc1dfd819bb"}' headers: cache-control: - no-cache content-length: - - '2780' + - '3214' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:46 GMT + - Thu, 06 Feb 2020 00:19:55 GMT expires: - '-1' pragma: @@ -45324,7 +47060,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45341,7 +47077,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:48 GMT + - Thu, 06 Feb 2020 00:19:56 GMT expires: - '-1' pragma: @@ -45368,7 +47104,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45382,10 +47118,10 @@ interactions: a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration - policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"Number - of days","description":"The number of days without restart until the machine - is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', + policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NumberOfDays":{"type":"String","metadata":{"displayName":"[Preview]: + Number of days","description":"The number of days without restart until the + machine is considered non-compliant"},"defaultValue":"12"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"MachineLastBootUpTime","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''[MachineUpTime]MachineLastBootUpTime;NumberOfDays'', ''='', parameters(''NumberOfDays'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"MachineLastBootUpTime"},"NumberOfDays":{"value":"[parameters(''NumberOfDays'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NumberOfDays":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"[MachineUpTime]MachineLastBootUpTime;NumberOfDays","value":"[parameters(''NumberOfDays'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), @@ -45398,11 +47134,11 @@ interactions: cache-control: - no-cache content-length: - - '6040' + - '6485' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:50 GMT + - Thu, 06 Feb 2020 00:19:56 GMT expires: - '-1' pragma: @@ -45433,7 +47169,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45450,7 +47186,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:52 GMT + - Thu, 06 Feb 2020 00:19:57 GMT expires: - '-1' pragma: @@ -45477,7 +47213,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45487,7 +47223,7 @@ interactions: string: '{"properties":{"displayName":"Deploy Auditing on SQL servers","policyType":"BuiltIn","mode":"Indexed","description":"This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same - region as the SQL server to store audit records.","metadata":{"category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The + region as the SQL server to store audit records.","metadata":{"version":"1.0.0","category":"SQL"},"parameters":{"retentionDays":{"type":"String","metadata":{"description":"The value in days of the retention period (0 indicates unlimited retention)","displayName":"Retention days (optional, 180 days if unspecified)"},"defaultValue":"180"},"storageAccountsResourceGroup":{"type":"String","metadata":{"displayName":"Resource group name for storage accounts","description":"Auditing writes database events @@ -45504,11 +47240,11 @@ interactions: cache-control: - no-cache content-length: - - '4046' + - '4064' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:53 GMT + - Thu, 06 Feb 2020 00:19:57 GMT expires: - '-1' pragma: @@ -45539,7 +47275,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45556,7 +47292,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:55 GMT + - Thu, 06 Feb 2020 00:19:58 GMT expires: - '-1' pragma: @@ -45583,58 +47319,66 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''Security Options - Network Access''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Network Access''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths","description":"Specifies which - registry paths will be accessible over the network, regardless of the users - or groups listed in the access control list (ACL) of the `winreg` registry + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths","description":"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server - Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"Network - access: Remotely accessible registry paths and sub-paths","description":"Specifies + Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Remotely accessible registry paths and sub-paths","description":"Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."},"defaultValue":"System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal - Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"Network - access: Shares that can be accessed anonymously","description":"Specifies + Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"String","metadata":{"displayName":"[Preview]: + Network access: Shares that can be accessed anonymously","description":"Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated - before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network + before they can access shared resources on the server."},"defaultValue":"0"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsNetworkAccess","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Network access: Remotely accessible registry paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPaths''), '','', ''Network access: Remotely accessible registry paths and sub-paths;ExpectedValue'', ''='', parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths''), '','', ''Network access: Shares that can be accessed anonymously;ExpectedValue'', - ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''='', parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SecurityOptionsNetworkAccess"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPaths":{"type":"string"},"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths":{"type":"string"},"NetworkAccessSharesThatCanBeAccessedAnonymously":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network + access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Network access: Remotely accessible registry paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPaths'')]"},{"name":"Network access: Remotely accessible registry paths and sub-paths;ExpectedValue","value":"[parameters(''NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'')]"},{"name":"Network - access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + access: Shares that can be accessed anonymously;ExpectedValue","value":"[parameters(''NetworkAccessSharesThatCanBeAccessedAnonymously'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a","type":"Microsoft.Authorization/policyDefinitions","name":"f56a3ab2-89d1-44de-ac0d-2ada5962e22a"}' headers: cache-control: - no-cache content-length: - - '7998' + - '9920' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:56 GMT + - Thu, 06 Feb 2020 00:19:59 GMT expires: - '-1' pragma: @@ -45665,7 +47409,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45682,7 +47426,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:58 GMT + - Thu, 06 Feb 2020 00:20:00 GMT expires: - '-1' pragma: @@ -45709,29 +47453,29 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"Virtual machines should be associated - with a Network Security Group","policyType":"BuiltIn","mode":"All","description":"Protect + string: '{"properties":{"displayName":"Internet-facing virtual machines should + be protected with Network Security Groups","policyType":"BuiltIn","mode":"All","description":"Protect your VM from potential threats by restricting access to it with a Network - Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules - that allow or deny network traffic to your VM from other instances, in or - outside the same subnet.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Compute/virtualMachines","Microsoft.ClassicCompute/virtualMachines"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"networkSecurityGroupsOnVirtualMachines","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","type":"Microsoft.Authorization/policyDefinitions","name":"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"}' headers: cache-control: - no-cache content-length: - - '1256' + - '1214' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:18:59 GMT + - Thu, 06 Feb 2020 00:20:00 GMT expires: - '-1' pragma: @@ -45762,7 +47506,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45779,7 +47523,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:02 GMT + - Thu, 06 Feb 2020 00:20:01 GMT expires: - '-1' pragma: @@ -45806,7 +47550,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45819,17 +47563,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on - Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"}' + Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0","category":"Guest + Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"WindowsPowerShellExecutionPolicy","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855","type":"Microsoft.Authorization/policyDefinitions","name":"f8036bd0-c10b-4931-86bb-94a878add855"}' headers: cache-control: - no-cache content-length: - - '2808' + - '3219' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:03 GMT + - Thu, 06 Feb 2020 00:20:02 GMT expires: - '-1' pragma: @@ -45860,7 +47604,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45877,7 +47621,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:06 GMT + - Thu, 06 Feb 2020 00:20:03 GMT expires: - '-1' pragma: @@ -45904,7 +47648,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45914,17 +47658,18 @@ interactions: string: '{"properties":{"displayName":"External accounts with owner permissions should be removed from your subscription","policyType":"BuiltIn","mode":"All","description":"External accounts with owner permissions should be removed from your subscription in - order to prevent unmonitored access.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + order to prevent unmonitored access.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Resources/subscriptions"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"RemoveExternalAccountsWithOwnerPermissions","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9","type":"Microsoft.Authorization/policyDefinitions","name":"f8456c1c-aa66-4dfb-861a-25d127b775c9"}' headers: cache-control: - no-cache content-length: - - '1097' + - '1115' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:07 GMT + - Thu, 06 Feb 2020 00:20:03 GMT expires: - '-1' pragma: @@ -45955,7 +47700,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -45972,7 +47717,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:09 GMT + - Thu, 06 Feb 2020 00:20:04 GMT expires: - '-1' pragma: @@ -45999,40 +47744,46 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473?api-version=2019-09-01 response: body: - string: '{"properties":{"displayName":"[Preview]: Deploy requirements to audit + string: '{"properties":{"displayName":"[Preview]: Deploy prerequisites to audit Windows VMs configurations in ''System Audit Policies - System''","policyType":"BuiltIn","mode":"Indexed","description":"This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ''System Audit Policies - System''. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"Audit - Other System Events","description":"Specifies whether audit events are generated - for Windows Firewall Service and Windows Firewall driver start and stop events, - failure events for these services and Windows Firewall Service policy processing - failures."},"allowedValues":["No Auditing","Success","Failure","Success and - Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit - Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","requiredProviders":["Microsoft.GuestConfiguration"],"preview":true},"parameters":{"AuditOtherSystemEvents":{"type":"String","metadata":{"displayName":"[Preview]: + Audit Other System Events","description":"Specifies whether audit events are + generated for Windows Firewall Service and Windows Firewall driver start and + stop events, failure events for these services and Windows Firewall Service + policy processing failures."},"allowedValues":["No Auditing","Success","Failure","Success + and Failure"],"defaultValue":"No Auditing"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SystemAuditPoliciesSystem","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash","equals":"[base64(concat(''Audit + Other System Events;ExpectedValue'', ''='', parameters(''AuditOtherSystemEvents'')))]"},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"},"type":{"value":"[field(''type'')]"},"configurationName":{"value":"AzureBaseline_SystemAuditPoliciesSystem"},"AuditOtherSystemEvents":{"value":"[parameters(''AuditOtherSystemEvents'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"},"type":{"type":"string"},"configurationName":{"type":"string"},"AuditOtherSystemEvents":{"type":"string"}},"resources":[{"condition":"[equals(toLower(parameters(''type'')), + toLower(''microsoft.hybridcompute/machines''))]","apiVersion":"2018-11-20","type":"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), + ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2018-11-20","type":"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments","name":"[concat(parameters(''vmName''), ''/Microsoft.GuestConfiguration/'', parameters(''configurationName''))]","location":"[parameters(''location'')]","properties":{"guestConfiguration":{"name":"[parameters(''configurationName'')]","version":"1.*","configurationParameter":[{"name":"Audit - Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + Other System Events;ExpectedValue","value":"[parameters(''AuditOtherSystemEvents'')]"}]}}},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"condition":"[equals(toLower(parameters(''type'')), + toLower(''Microsoft.Compute/virtualMachines''))]","apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforWindows'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforWindows","typeHandlerVersion":"1.1","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}},"dependsOn":["[concat(''Microsoft.Compute/virtualMachines/'',parameters(''vmName''),''/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/'',parameters(''configurationName''))]"]}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473","type":"Microsoft.Authorization/policyDefinitions","name":"f8b0158d-4766-490f-bea0-259e52dba473"}' headers: cache-control: - no-cache content-length: - - '5282' + - '6808' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:11 GMT + - Thu, 06 Feb 2020 00:20:04 GMT expires: - '-1' pragma: @@ -46063,7 +47814,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46080,7 +47831,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:12 GMT + - Thu, 06 Feb 2020 00:20:05 GMT expires: - '-1' pragma: @@ -46107,7 +47858,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46118,19 +47869,19 @@ interactions: be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network - is compromised","metadata":{"category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + is compromised","metadata":{"version":"2.0.0","category":"Service Bus"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ServiceBus/namespaces"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45","type":"Microsoft.Authorization/policyDefinitions","name":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45"}' headers: cache-control: - no-cache content-length: - - '1788' + - '1902' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:14 GMT + - Thu, 06 Feb 2020 00:20:06 GMT expires: - '-1' pragma: @@ -46161,7 +47912,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46178,7 +47929,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:16 GMT + - Thu, 06 Feb 2020 00:20:08 GMT expires: - '-1' pragma: @@ -46205,7 +47956,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46216,19 +47967,20 @@ interactions: should be enabled","policyType":"BuiltIn","mode":"Indexed","description":"Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when - your network is compromised","metadata":{"category":"Stream Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + your network is compromised","metadata":{"version":"2.0.0","category":"Stream + Analytics"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"},"requiredRetentionDays":{"type":"String","metadata":{"displayName":"Required retention (days)","description":"The required diagnostic logs retention in - days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"}' + days"},"defaultValue":"365"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.StreamAnalytics/streamingJobs"},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Insights/diagnosticSettings","existenceCondition":{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"anyOf":[{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"},{"anyOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"0"},{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days","equals":"[parameters(''requiredRetentionDays'')]"}]},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]},{"allOf":[{"not":{"field":"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals":"true"}},{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"}]}]}},"greaterOrEquals":1}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46","type":"Microsoft.Authorization/policyDefinitions","name":"f9be5368-9bf5-4b84-9e0a-7850da98bb46"}' headers: cache-control: - no-cache content-length: - - '1812' + - '1926' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:18 GMT + - Thu, 06 Feb 2020 00:20:08 GMT expires: - '-1' pragma: @@ -46259,7 +48011,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46276,7 +48028,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:20 GMT + - Thu, 06 Feb 2020 00:20:09 GMT expires: - '-1' pragma: @@ -46303,7 +48055,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46312,17 +48064,17 @@ interactions: body: string: '{"properties":{"displayName":"Latest TLS version should be used in your Function App","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade - to the latest TLS version","metadata":{"category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + to the latest TLS version","metadata":{"version":"1.0.0","category":"App Service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Web/sites"},{"field":"kind","like":"functionapp*"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Web/sites/config","name":"web","existenceCondition":{"field":"Microsoft.Web/sites/config/minTlsVersion","equals":"1.2"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193","type":"Microsoft.Authorization/policyDefinitions","name":"f9d614c5-c173-4d56-95a7-b4437057d193"}' headers: cache-control: - no-cache content-length: - - '943' + - '961' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:21 GMT + - Thu, 06 Feb 2020 00:20:10 GMT expires: - '-1' pragma: @@ -46353,7 +48105,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46370,7 +48122,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:22 GMT + - Thu, 06 Feb 2020 00:20:11 GMT expires: - '-1' pragma: @@ -46397,7 +48149,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46410,17 +48162,17 @@ interactions: for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol.","metadata":{"category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), + https://aka.ms/gcpol.","metadata":{"version":"1.1.0","category":"Guest Configuration","requiredProviders":["Microsoft.GuestConfiguration"]},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},"then":{"effect":"deployIfNotExists","details":{"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"type":"Microsoft.Compute/virtualMachines/extensions","name":"AzurePolicyforLinux","existenceCondition":{"allOf":[{"field":"Microsoft.Compute/virtualMachines/extensions/publisher","equals":"Microsoft.GuestConfiguration"},{"field":"Microsoft.Compute/virtualMachines/extensions/type","equals":"ConfigurationforLinux"}]},"deployment":{"properties":{"mode":"incremental","parameters":{"vmName":{"value":"[field(''name'')]"},"location":{"value":"[field(''location'')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vmName":{"type":"string"},"location":{"type":"string"}},"resources":[{"apiVersion":"2017-03-30","type":"Microsoft.Compute/virtualMachines","identity":{"type":"SystemAssigned"},"name":"[parameters(''vmName'')]","location":"[parameters(''location'')]"},{"apiVersion":"2015-05-01-preview","name":"[concat(parameters(''vmName''), ''/AzurePolicyforLinux'')]","type":"Microsoft.Compute/virtualMachines/extensions","location":"[parameters(''location'')]","properties":{"publisher":"Microsoft.GuestConfiguration","type":"ConfigurationforLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":{},"protectedSettings":{}}}]}}}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50","type":"Microsoft.Authorization/policyDefinitions","name":"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"}' headers: cache-control: - no-cache content-length: - - '4213' + - '4661' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:24 GMT + - Thu, 06 Feb 2020 00:20:11 GMT expires: - '-1' pragma: @@ -46451,7 +48203,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46468,7 +48220,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:26 GMT + - Thu, 06 Feb 2020 00:20:12 GMT expires: - '-1' pragma: @@ -46495,7 +48247,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46506,18 +48258,117 @@ interactions: be upgraded to a non-vulnerable Kubernetes version","policyType":"BuiltIn","mode":"Indexed","description":"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 - has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"category":"Security - Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"}' + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","metadata":{"version":"1.0.0-preview","category":"Security + Center","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.13.4","1.13.3","1.13.2","1.13.1","1.13.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.12.6","1.12.5","1.12.4","1.12.3","1.12.2","1.12.1","1.12.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","in":["1.11.8","1.11.7","1.11.6","1.11.5","1.11.4","1.11.3","1.11.2","1.11.1","1.11.0"]},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.10.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.9.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.8.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.7.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.6.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.5.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.4.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.3.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.2.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.1.*"},{"field":"Microsoft.ContainerService/managedClusters/kubernetesVersion","like":"1.0.*"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c","type":"Microsoft.Authorization/policyDefinitions","name":"fb893a29-21bb-418c-a157-e99480ec364c"}' + headers: + cache-control: + - no-cache + content-length: + - '2475' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:20:12 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2?api-version=2019-09-01 + response: + body: + string: '{"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition + ''fbb99e8e-e444-4da0-9ff1-75c92f5a85b2'' could not be found."}}' headers: cache-control: - no-cache content-length: - - '2438' + - '138' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:27 GMT + - Thu, 06 Feb 2020 00:20:14 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 404 + message: Not Found +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition show + Connection: + - keep-alive + ParameterSetName: + - -n + User-Agent: + - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"Storage account containing the container + with activity logs must be encrypted with BYOK","policyType":"BuiltIn","mode":"All","description":"This + policy audits if the Storage account containing the container with activity + logs is encrypted with BYOK. The policy works only if the storage account + lies on the same subscription as activity logs by design. More information + on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. + ","metadata":{"version":"1.0.0","category":"Monitoring"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Insights/logProfiles"},{"field":"Microsoft.Insights/logProfiles/storageAccountId","exists":"true"}]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Storage/storageAccounts","existenceScope":"subscription","existenceCondition":{"allOf":[{"value":"[contains(field(''Microsoft.Insights/logProfiles/storageAccountId''), + subscription().Id)]","equals":"true"},{"field":"name","equals":"[last(split(field(''Microsoft.Insights/logProfiles/storageAccountId''),''/''))]"},{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","equals":"Microsoft.Keyvault"}]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2","type":"Microsoft.Authorization/policyDefinitions","name":"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"}' + headers: + cache-control: + - no-cache + content-length: + - '1608' + content-type: + - application/json; charset=utf-8 + date: + - Thu, 06 Feb 2020 00:20:14 GMT expires: - '-1' pragma: @@ -46548,7 +48399,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46565,7 +48416,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:29 GMT + - Thu, 06 Feb 2020 00:20:14 GMT expires: - '-1' pragma: @@ -46592,7 +48443,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46605,17 +48456,17 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ''Security Options - Microsoft Network Client''. For more information - on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"category":"Guest - Configuration"},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageSKU","notEquals":"SQL2008R2SP3-WS2008R2SP1"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"}' + on Guest Configuration policies, please visit https://aka.ms/gcpol","metadata":{"version":"1.0.0-preview","category":"Guest + Configuration","preview":true},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["esri","incredibuild","MicrosoftDynamicsAX","MicrosoftSharepoint","MicrosoftVisualStudio","MicrosoftWindowsDesktop","MicrosoftWindowsServerHPCPack"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftWindowsServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"MicrosoftSQLServer"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","equals":"dsvm-windows"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","in":["standard-data-science-vm","windows-data-science-vm"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"batch"},{"field":"Microsoft.Compute/imageOffer","equals":"rendering-windows2016"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"center-for-internet-security-inc"},{"field":"Microsoft.Compute/imageOffer","like":"cis-windows-server-201*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"pivotal"},{"field":"Microsoft.Compute/imageOffer","like":"bosh-windows-server*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloud-infrastructure-services"},{"field":"Microsoft.Compute/imageOffer","like":"ad*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Windows*"}]},{"anyOf":[{"field":"Microsoft.Compute/imageSKU","exists":"false"},{"allOf":[{"field":"Microsoft.Compute/imageSKU","notLike":"2008*"},{"field":"Microsoft.Compute/imageOffer","notLike":"SQL2008*"}]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"windows*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"AzureBaseline_SecurityOptionsMicrosoftNetworkClient","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b","type":"Microsoft.Authorization/policyDefinitions","name":"fcbc55c9-f25a-4e55-a6cb-33acb3be778b"}' headers: cache-control: - no-cache content-length: - - '2693' + - '3277' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:30 GMT + - Thu, 06 Feb 2020 00:20:15 GMT expires: - '-1' pragma: @@ -46646,7 +48497,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46663,7 +48514,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:33 GMT + - Thu, 06 Feb 2020 00:20:16 GMT expires: - '-1' pragma: @@ -46690,7 +48541,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46703,16 +48554,16 @@ interactions: initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit - https://aka.ms/gcpol","metadata":{"category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"}' + https://aka.ms/gcpol","metadata":{"version":"1.1.0","category":"Guest Configuration"},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","in":["microsoft-aks","AzureDatabricks","qubole-inc","datastax","couchbase","scalegrid","checkpoint","paloaltonetworks"]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"OpenLogic"},{"field":"Microsoft.Compute/imageOffer","like":"CentOS*"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"RHEL"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"RedHat"},{"field":"Microsoft.Compute/imageOffer","equals":"osa"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"credativ"},{"field":"Microsoft.Compute/imageOffer","equals":"Debian"},{"field":"Microsoft.Compute/imageSKU","notLike":"7*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Suse"},{"field":"Microsoft.Compute/imageOffer","like":"SLES*"},{"field":"Microsoft.Compute/imageSKU","notLike":"11*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"Canonical"},{"field":"Microsoft.Compute/imageOffer","equals":"UbuntuServer"},{"field":"Microsoft.Compute/imageSKU","notLike":"12*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-dsvm"},{"field":"Microsoft.Compute/imageOffer","in":["linux-data-science-vm-ubuntu","azureml"]}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-centos-os"},{"field":"Microsoft.Compute/imageSKU","notLike":"6*"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"cloudera"},{"field":"Microsoft.Compute/imageOffer","equals":"cloudera-altus-centos-os"}]},{"allOf":[{"field":"Microsoft.Compute/imagePublisher","equals":"microsoft-ads"},{"field":"Microsoft.Compute/imageOffer","like":"linux*"}]},{"allOf":[{"anyOf":[{"field":"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration","exists":"true"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType","like":"Linux*"}]},{"anyOf":[{"field":"Microsoft.Compute/imagePublisher","exists":"false"},{"field":"Microsoft.Compute/imagePublisher","notIn":["OpenLogic","RedHat","credativ","Suse","Canonical","microsoft-dsvm","cloudera","microsoft-ads"]}]}]}]}]},{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/imageOffer","like":"linux*"}]}]},"then":{"effect":"auditIfNotExists","details":{"type":"Microsoft.GuestConfiguration/guestConfigurationAssignments","name":"installed_application_linux","existenceCondition":{"field":"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus","equals":"Compliant"}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004","type":"Microsoft.Authorization/policyDefinitions","name":"fee5cb2b-9d9b-410e-afe3-2902d90d0004"}' headers: cache-control: - no-cache content-length: - - '3192' + - '3640' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:35 GMT + - Thu, 06 Feb 2020 00:20:17 GMT expires: - '-1' pragma: @@ -46743,7 +48594,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46760,7 +48611,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:36 GMT + - Thu, 06 Feb 2020 00:20:17 GMT expires: - '-1' pragma: @@ -46787,7 +48638,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46797,17 +48648,18 @@ interactions: string: '{"properties":{"displayName":"Vulnerabilities on your SQL databases should be remediated","policyType":"BuiltIn","mode":"Indexed","description":"Monitor Vulnerability Assessment scan results and recommendations for how to remediate - database vulnerabilities.","metadata":{"category":"Security Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + database vulnerabilities.","metadata":{"version":"1.0.0","category":"Security + Center"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","in":["Microsoft.Sql/servers/databases","Microsoft.Sql/managedinstances/databases"]},"then":{"effect":"[parameters(''effect'')]","details":{"type":"Microsoft.Security/complianceResults","name":"sqlVulnerabilityAssessment","existenceCondition":{"field":"Microsoft.Security/complianceResults/resourceStatus","in":["OffByPolicy","Healthy"]}}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc","type":"Microsoft.Authorization/policyDefinitions","name":"feedbf84-6b99-488c-acc2-71c829aa5ffc"}' headers: cache-control: - no-cache content-length: - - '1092' + - '1110' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:38 GMT + - Thu, 06 Feb 2020 00:20:17 GMT expires: - '-1' pragma: @@ -46838,7 +48690,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46855,7 +48707,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:40 GMT + - Thu, 06 Feb 2020 00:20:18 GMT expires: - '-1' pragma: @@ -46882,7 +48734,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46891,21 +48743,21 @@ interactions: body: string: '{"properties":{"displayName":"[Preview]: Manage certificate validity period","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the maximum validity period for certificates in months.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"The - maximum validity in months","description":"The limit to how long a certificate + policy manages the maximum validity period for certificates in months.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumValidityInMonths":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum validity in months","description":"The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren''t best - practice."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"}' + practice."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths","greater":"[parameters(''maximumValidityInMonths'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560","type":"Microsoft.Authorization/policyDefinitions","name":"0a075868-4c26-42ef-914c-5bc007359560"}' headers: cache-control: - no-cache content-length: - - '1117' + - '1165' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:41 GMT + - Thu, 06 Feb 2020 00:20:18 GMT expires: - '-1' pragma: @@ -46936,7 +48788,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46953,7 +48805,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:43 GMT + - Thu, 06 Feb 2020 00:20:20 GMT expires: - '-1' pragma: @@ -46980,7 +48832,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -46992,7 +48844,7 @@ interactions: policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerPortsRegex":{"type":"String","metadata":{"displayName":"Allowed container ports regex","description":"Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -47001,11 +48853,11 @@ interactions: cache-control: - no-cache content-length: - - '1653' + - '1679' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:45 GMT + - Thu, 06 Feb 2020 00:20:20 GMT expires: - '-1' pragma: @@ -47036,7 +48888,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47053,7 +48905,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:47 GMT + - Thu, 06 Feb 2020 00:20:22 GMT expires: - '-1' pragma: @@ -47080,7 +48932,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47089,19 +48941,19 @@ interactions: body: string: '{"properties":{"displayName":"[Preview]: Manage allowed certificate key types","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the allowed key types for certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"Allowed - key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"}' + policy manages the allowed key types for certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedKeyTypes":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed key types","description":"The list of allowed certificate key types."},"allowedValues":["RSA","RSA-HSM","EC","EC-HSM"],"defaultValue":["RSA","RSA-HSM"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","notIn":"[parameters(''allowedKeyTypes'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f","type":"Microsoft.Authorization/policyDefinitions","name":"1151cede-290b-4ba0-8b38-0ad145ac888f"}' headers: cache-control: - no-cache content-length: - - '1069' + - '1117' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:49 GMT + - Thu, 06 Feb 2020 00:20:22 GMT expires: - '-1' pragma: @@ -47132,7 +48984,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47149,7 +49001,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:51 GMT + - Thu, 06 Feb 2020 00:20:22 GMT expires: - '-1' pragma: @@ -47176,7 +49028,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47186,25 +49038,26 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Manage certificate lifetime action triggers","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the configuration for certificate lifetime action triggers - before certificate expiration.","metadata":{"category":"Key Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"The - maximum lifetime percentage","description":"Enter the percentage of lifetime + before certificate expiration.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"maximumPercentageLife":{"type":"Integer","metadata":{"displayName":"[Preview]: + The maximum lifetime percentage","description":"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate''s valid life, enter - ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"The - minimum days before expiry","description":"Enter the days before expiration + ''80''."}},"minimumDaysBeforeExpiry":{"type":"Integer","metadata":{"displayName":"[Preview]: + The minimum days before expiry","description":"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate''s expiration, enter - ''90''."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"}' + ''90''."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"anyOf":[{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry","less":"[parameters(''minimumDaysBeforeExpiry'')]"}]},{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","exists":"True"},{"field":"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage","greater":"[parameters(''maximumPercentageLife'')]"}]}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417","type":"Microsoft.Authorization/policyDefinitions","name":"12ef42cb-9903-4e39-9c26-422d29570417"}' headers: cache-control: - no-cache content-length: - - '1929' + - '1988' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:53 GMT + - Thu, 06 Feb 2020 00:20:22 GMT expires: - '-1' pragma: @@ -47235,7 +49088,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47252,7 +49105,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:55 GMT + - Thu, 06 Feb 2020 00:20:24 GMT expires: - '-1' pragma: @@ -47279,7 +49132,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47291,7 +49144,7 @@ interactions: policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"commaSeparatedListOfLabels":{"type":"String","metadata":{"displayName":"Comma-separated list of labels","description":"A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -47300,11 +49153,11 @@ interactions: cache-control: - no-cache content-length: - - '1598' + - '1624' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:56 GMT + - Thu, 06 Feb 2020 00:20:24 GMT expires: - '-1' pragma: @@ -47335,7 +49188,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47352,7 +49205,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:58 GMT + - Thu, 06 Feb 2020 00:20:26 GMT expires: - '-1' pragma: @@ -47379,7 +49232,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47389,18 +49242,18 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on - using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","type":"Microsoft.Authorization/policyDefinitions","name":"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"}' headers: cache-control: - no-cache content-length: - - '1177' + - '1203' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:19:59 GMT + - Thu, 06 Feb 2020 00:20:26 GMT expires: - '-1' pragma: @@ -47431,7 +49284,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47448,7 +49301,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:02 GMT + - Thu, 06 Feb 2020 00:20:26 GMT expires: - '-1' pragma: @@ -47475,7 +49328,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47485,7 +49338,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces services to listen only on allowed ports in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedServicePortsList":{"type":"Array","metadata":{"displayName":"Allowed service ports list","description":"The list of service ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -47494,11 +49347,11 @@ interactions: cache-control: - no-cache content-length: - - '1482' + - '1508' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:03 GMT + - Thu, 06 Feb 2020 00:20:27 GMT expires: - '-1' pragma: @@ -47529,7 +49382,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47546,7 +49399,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:05 GMT + - Thu, 06 Feb 2020 00:20:27 GMT expires: - '-1' pragma: @@ -47573,7 +49426,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47585,7 +49438,7 @@ interactions: policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedServicePortsRegex":{"type":"String","metadata":{"displayName":"Allowed service ports regex","description":"Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -47594,11 +49447,11 @@ interactions: cache-control: - no-cache content-length: - - '1635' + - '1661' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:06 GMT + - Thu, 06 Feb 2020 00:20:28 GMT expires: - '-1' pragma: @@ -47629,7 +49482,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47646,7 +49499,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:09 GMT + - Thu, 06 Feb 2020 00:20:30 GMT expires: - '-1' pragma: @@ -47673,7 +49526,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47685,18 +49538,18 @@ interactions: policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, - please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"HttpsIngressOnly","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3","type":"Microsoft.Authorization/policyDefinitions","name":"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"}' headers: cache-control: - no-cache content-length: - - '1253' + - '1279' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:10 GMT + - Thu, 06 Feb 2020 00:20:30 GMT expires: - '-1' pragma: @@ -47727,7 +49580,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47744,7 +49597,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:12 GMT + - Thu, 06 Feb 2020 00:20:31 GMT expires: - '-1' pragma: @@ -47771,7 +49624,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47781,18 +49634,18 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces load balancers do not have public IPs in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e","type":"Microsoft.Authorization/policyDefinitions","name":"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"}' headers: cache-control: - no-cache content-length: - - '1229' + - '1255' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:14 GMT + - Thu, 06 Feb 2020 00:20:31 GMT expires: - '-1' pragma: @@ -47823,7 +49676,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47840,7 +49693,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:16 GMT + - Thu, 06 Feb 2020 00:20:32 GMT expires: - '-1' pragma: @@ -47867,7 +49720,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47877,7 +49730,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces containers to listen only on allowed ports in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerPortsList":{"type":"Array","metadata":{"displayName":"Allowed container ports list","description":"The list of container ports allowed in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -47886,11 +49739,11 @@ interactions: cache-control: - no-cache content-length: - - '1500' + - '1526' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:17 GMT + - Thu, 06 Feb 2020 00:20:33 GMT expires: - '-1' pragma: @@ -47921,7 +49774,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47938,7 +49791,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:19 GMT + - Thu, 06 Feb 2020 00:20:34 GMT expires: - '-1' pragma: @@ -47965,7 +49818,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -47975,7 +49828,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces the specified labels are provided for pods in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"labelsList":{"type":"Array","metadata":{"displayName":"List of labels","description":"The list of labels to be specified on Pods in a Kubernetes cluster."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS @@ -47984,11 +49837,11 @@ interactions: cache-control: - no-cache content-length: - - '1414' + - '1440' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:21 GMT + - Thu, 06 Feb 2020 00:20:34 GMT expires: - '-1' pragma: @@ -48019,7 +49872,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48036,7 +49889,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:23 GMT + - Thu, 06 Feb 2020 00:20:35 GMT expires: - '-1' pragma: @@ -48063,7 +49916,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48075,7 +49928,7 @@ interactions: policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images @@ -48085,11 +49938,11 @@ interactions: cache-control: - no-cache content-length: - - '1662' + - '1688' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:24 GMT + - Thu, 06 Feb 2020 00:20:35 GMT expires: - '-1' pragma: @@ -48120,7 +49973,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48137,7 +49990,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:27 GMT + - Thu, 06 Feb 2020 00:20:36 GMT expires: - '-1' pragma: @@ -48164,7 +50017,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48176,18 +50029,18 @@ interactions: policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerNoPrivilege","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531","type":"Microsoft.Authorization/policyDefinitions","name":"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"}' headers: cache-control: - no-cache content-length: - - '1297' + - '1323' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:28 GMT + - Thu, 06 Feb 2020 00:20:36 GMT expires: - '-1' pragma: @@ -48218,7 +50071,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48235,7 +50088,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:31 GMT + - Thu, 06 Feb 2020 00:20:38 GMT expires: - '-1' pragma: @@ -48262,7 +50115,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48272,19 +50125,20 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Manage certificates issued by an integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified key vault integrated - Certificate Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"Allowed - Azure Key Vault Supported CAs","description":"The list of allowed certificate - authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"}' + Certificate Authority.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"allowedCAs":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed Azure Key Vault Supported CAs","description":"The list of allowed + certificate authorities supported by Azure Key Vault."},"allowedValues":["DigiCert","GlobalSign"],"defaultValue":["DigiCert","GlobalSign"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.name","notIn":"[parameters(''allowedCAs'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82","type":"Microsoft.Authorization/policyDefinitions","name":"8e826246-c976-48f6-b03e-619bb92b3d82"}' headers: cache-control: - no-cache content-length: - - '1155' + - '1203' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:32 GMT + - Thu, 06 Feb 2020 00:20:38 GMT expires: - '-1' pragma: @@ -48315,7 +50169,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48332,7 +50186,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:34 GMT + - Thu, 06 Feb 2020 00:20:39 GMT expires: - '-1' pragma: @@ -48359,7 +50213,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48369,18 +50223,18 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy does not allow privileged containers creation in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4","type":"Microsoft.Authorization/policyDefinitions","name":"95edb821-ddaf-4404-9732-666045e056b4"}' headers: cache-control: - no-cache content-length: - - '1221' + - '1247' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:35 GMT + - Thu, 06 Feb 2020 00:20:39 GMT expires: - '-1' pragma: @@ -48411,7 +50265,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48428,7 +50282,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:38 GMT + - Thu, 06 Feb 2020 00:20:40 GMT expires: - '-1' pragma: @@ -48455,7 +50309,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48465,20 +50319,20 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Manage certificates issued by a non-integrated CA","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates are issued by a specified non-integrated Certificate - Authority.","metadata":{"category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"The - common name of the certificate authority","description":"The common name (CN) - of the Certificate Authority (CA) provider. For example, for an issuer CN - = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"}' + Authority.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"caCommonName":{"type":"String","metadata":{"displayName":"[Preview]: + The common name of the certificate authority","description":"The common name + (CN) of the Certificate Authority (CA) provider. For example, for an issuer + CN = Contoso, OU = .., DC = .., you can specify Contoso"}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName","notContains":"[parameters(''caCommonName'')]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341","type":"Microsoft.Authorization/policyDefinitions","name":"a22f4a40-01d3-4c7d-8071-da157eeff341"}' headers: cache-control: - no-cache content-length: - - '1167' + - '1215' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:39 GMT + - Thu, 06 Feb 2020 00:20:40 GMT expires: - '-1' pragma: @@ -48509,7 +50363,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48526,7 +50380,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:41 GMT + - Thu, 06 Feb 2020 00:20:43 GMT expires: - '-1' pragma: @@ -48553,7 +50407,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48565,18 +50419,18 @@ interactions: policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. - For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"ContainerResourceLimits","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4","type":"Microsoft.Authorization/policyDefinitions","name":"a2d3ed81-8d11-4079-80a5-1faadc0024f4"}' headers: cache-control: - no-cache content-length: - - '1347' + - '1373' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:43 GMT + - Thu, 06 Feb 2020 00:20:43 GMT expires: - '-1' pragma: @@ -48607,7 +50461,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48624,7 +50478,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:45 GMT + - Thu, 06 Feb 2020 00:20:44 GMT expires: - '-1' pragma: @@ -48651,7 +50505,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48663,18 +50517,18 @@ interactions: policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"LoadBalancersInternal","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698","type":"Microsoft.Authorization/policyDefinitions","name":"a74d8f00-2fd9-4ce4-968e-0ee1eb821698"}' headers: cache-control: - no-cache content-length: - - '1299' + - '1325' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:47 GMT + - Thu, 06 Feb 2020 00:20:44 GMT expires: - '-1' pragma: @@ -48705,7 +50559,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48722,7 +50576,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:49 GMT + - Thu, 06 Feb 2020 00:20:45 GMT expires: - '-1' pragma: @@ -48749,7 +50603,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48759,18 +50613,18 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy enforces unique ingress hostnames across namespaces in a Kubernetes - cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["enforceOPAConstraint","disabled"],"defaultValue":"enforceOPAConstraint"}},"policyRule":{"if":{"field":"type","in":["AKS Engine"]},"then":{"effect":"[parameters(''effect'')]","details":{"constraintTemplate":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml","constraint":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d","type":"Microsoft.Authorization/policyDefinitions","name":"b2fd3e59-6390-4f2b-8247-ea676bd03e2d"}' headers: cache-control: - no-cache content-length: - - '1251' + - '1277' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:50 GMT + - Thu, 06 Feb 2020 00:20:45 GMT expires: - '-1' pragma: @@ -48801,7 +50655,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48818,7 +50672,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:52 GMT + - Thu, 06 Feb 2020 00:20:47 GMT expires: - '-1' pragma: @@ -48845,7 +50699,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48855,19 +50709,19 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Manage allowed curve names for elliptic curve cryptography certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages the allowed elliptic curve names for elliptic curve cryptography - certificates.","metadata":{"category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"Allowed - elliptic curve names","description":"The list of allowed curve names for elliptic - curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"}' + certificates.","metadata":{"version":"1.0.0-preview","category":"Key Vault","preview":true},"parameters":{"allowedECNames":{"type":"Array","metadata":{"displayName":"[Preview]: + Allowed elliptic curve names","description":"The list of allowed curve names + for elliptic curve cryptography certificates."},"allowedValues":["P-256","P-256K","P-384","P-521"],"defaultValue":["P-256","P-256K","P-384","P-521"]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["EC","EC-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName","notIn":"[parameters(''allowedECNames'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf","type":"Microsoft.Authorization/policyDefinitions","name":"bd78111f-4953-4367-9fd5-7e08808b54bf"}' headers: cache-control: - no-cache content-length: - - '1328' + - '1376' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:54 GMT + - Thu, 06 Feb 2020 00:20:47 GMT expires: - '-1' pragma: @@ -48898,7 +50752,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48915,7 +50769,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:56 GMT + - Thu, 06 Feb 2020 00:20:48 GMT expires: - '-1' pragma: @@ -48942,7 +50796,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -48951,19 +50805,19 @@ interactions: body: string: '{"properties":{"displayName":"[Preview]: Manage minimum key size for RSA certificates","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This - policy manages the minimum key size for RSA certificates.","metadata":{"category":"Key - Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"Minimum - RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"}' + policy manages the minimum key size for RSA certificates.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"minimumRSAKeySize":{"type":"Integer","metadata":{"displayName":"[Preview]: + Minimum RSA key size","description":"The minimum key size for RSA certificates."},"allowedValues":[2048,3072,4096]},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"allOf":[{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType","in":["RSA","RSA-HSM"]},{"field":"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize","less":"[parameters(''minimumRSAKeySize'')]"}]},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0","type":"Microsoft.Authorization/policyDefinitions","name":"cee51871-e572-4576-855c-047c820360f0"}' headers: cache-control: - no-cache content-length: - - '1153' + - '1201' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:20:58 GMT + - Thu, 06 Feb 2020 00:20:48 GMT expires: - '-1' pragma: @@ -48994,7 +50848,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49011,7 +50865,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:00 GMT + - Thu, 06 Feb 2020 00:20:49 GMT expires: - '-1' pragma: @@ -49038,7 +50892,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49050,18 +50904,18 @@ interactions: policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction - on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"category":"Kubernetes + on using this policy, please go to https://aka.ms/akspolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes service"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["EnforceRegoPolicy","Disabled"],"defaultValue":"EnforceRegoPolicy"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},"then":{"effect":"[parameters(''effect'')]","details":{"policyId":"UniqueIngressHostnames","policy":"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"}}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60","type":"Microsoft.Authorization/policyDefinitions","name":"d011d9f7-ba32-4005-b727-b3d09371ca60"}' headers: cache-control: - no-cache content-length: - - '1325' + - '1351' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:01 GMT + - Thu, 06 Feb 2020 00:20:49 GMT expires: - '-1' pragma: @@ -49092,7 +50946,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49109,7 +50963,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:04 GMT + - Thu, 06 Feb 2020 00:20:51 GMT expires: - '-1' pragma: @@ -49136,7 +50990,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49148,7 +51002,7 @@ interactions: cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions - on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max + on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"cpuLimit":{"type":"String","metadata":{"displayName":"Max allowed CPU units","description":"The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"}},"memoryLimit":{"type":"String","metadata":{"displayName":"Max allowed memory bytes","description":"The maximum memory bytes allowed for @@ -49159,11 +51013,11 @@ interactions: cache-control: - no-cache content-length: - - '1882' + - '1908' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:05 GMT + - Thu, 06 Feb 2020 00:20:51 GMT expires: - '-1' pragma: @@ -49194,7 +51048,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49211,7 +51065,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:07 GMT + - Thu, 06 Feb 2020 00:20:53 GMT expires: - '-1' pragma: @@ -49238,7 +51092,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49248,19 +51102,20 @@ interactions: string: '{"properties":{"displayName":"[Preview]: Manage certificates that are within a specified number of days of expiration","policyType":"BuiltIn","mode":"Microsoft.KeyVault.Data","description":"This policy manages certificates that are within a specified number of days to - their expiration date.","metadata":{"category":"Key Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"Days - to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable - or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), + their expiration date.","metadata":{"version":"1.0.0-preview","category":"Key + Vault","preview":true},"parameters":{"daysToExpire":{"type":"Integer","metadata":{"displayName":"[Preview]: + Days to expire","description":"The number of days for a certificate to expire."}},"effect":{"type":"String","metadata":{"displayName":"[Preview]: + Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["audit","deny","disabled"],"defaultValue":"audit"}},"policyRule":{"if":{"field":"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn","lessOrEquals":"[addDays(utcNow(), parameters(''daysToExpire''))]"},"then":{"effect":"[parameters(''effect'')]"}}},"id":"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427","type":"Microsoft.Authorization/policyDefinitions","name":"f772fb64-8e40-40ad-87bc-7706e1949427"}' headers: cache-control: - no-cache content-length: - - '1093' + - '1141' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:09 GMT + - Thu, 06 Feb 2020 00:20:53 GMT expires: - '-1' pragma: @@ -49291,7 +51146,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49308,7 +51163,7 @@ interactions: content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:11 GMT + - Thu, 06 Feb 2020 00:20:54 GMT expires: - '-1' pragma: @@ -49335,7 +51190,7 @@ interactions: - -n User-Agent: - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2 - azure-mgmt-resource/6.0.0 Azure-SDK-For-Python AZURECLI/2.0.77 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.0.81 accept-language: - en-US method: GET @@ -49345,7 +51200,7 @@ interactions: string: '{"properties":{"displayName":"[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster","policyType":"BuiltIn","mode":"Microsoft.Kubernetes.Data","description":"This policy ensures only allowed container images are running in a Kubernetes cluster. - For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.","metadata":{"version":"1.0.0-preview","category":"Kubernetes"},"parameters":{"allowedContainerImagesRegex":{"type":"String","metadata":{"displayName":"Allowed container images regex","description":"Regex representing container images allowed in a Kubernetes cluster. E.g. Regex for azure container registry images is ^.+azurecr.io/.+$"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable @@ -49355,11 +51210,11 @@ interactions: cache-control: - no-cache content-length: - - '1579' + - '1605' content-type: - application/json; charset=utf-8 date: - - Fri, 06 Dec 2019 22:21:12 GMT + - Thu, 06 Feb 2020 00:20:54 GMT expires: - '-1' pragma: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py index f41761349e3..65d0be75417 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py @@ -760,6 +760,9 @@ def applyPolicyAtScope(self, scope, policyId, enforcementMode='Default'): self.check('enforcementMode', '{em}') ]) + # ensure the policy assignment shows up in the list result + self.cmd('policy assignment list --scope {scope}', checks=self.check("length([?name=='{pan}'])", 1)) + # delete the assignment and validate it's gone self.cmd('policy assignment delete -n {pan} --scope {scope}') self.cmd('policy assignment list --disable-scope-strict-match', checks=self.check("length([?name=='{pan}'])", 0)) @@ -778,6 +781,7 @@ def resource_policy_operations(self, resource_group, management_group=None, subs 'metadata': 'test', 'updated_metadata': 'test2', }) + if (management_group): self.kwargs.update({'mg': management_group}) if (subscription): @@ -932,6 +936,9 @@ def resource_policyset_operations(self, resource_group, management_group=None, s self.check('sku.tier', 'Free'), ]) + # ensure the assignment appears in the list results + self.cmd('policy assignment list --resource-group {rg}', checks=self.check("length([?name=='{pan}'])", 1)) + # delete the assignment and validate it's gone self.cmd('policy assignment delete -n {pan} -g {rg}') self.cmd('policy assignment list --disable-scope-strict-match', checks=self.check("length([?name=='{pan}'])", 0)) @@ -1101,6 +1108,10 @@ def test_resource_policy_management_group(self, resource_group): self.cmd('account management-group create -n ' + management_group_name) try: self.resource_policy_operations(resource_group, management_group_name) + + # Attempt to get a policy definition at an invalid management group scope + with self.assertRaises(IncorrectUsageError): + self.cmd(self.cmdstring('policy definition show -n "/providers/microsoft.management/managementgroups/myMg/providers/microsoft.authorization/missingsegment"')) finally: self.cmd('account management-group delete -n ' + management_group_name)